Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: Fix endpoint check The syzbot fuzzer detected a problem in the udlfb driver, caused by an endpoint not having the expected type: usb 1-1: Read EDID byte 0 failed: -71 usb 1-1: Unable to get valid EDID from device/display ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111 dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743 The current approach for this issue failed to catch the problem because it only checks for the existence of a bulk-OUT endpoint; it doesn't check whether this endpoint is the one that the driver will actually use. We can fix the problem by instead checking that the endpoint used by the driver does exist and is bulk-OUT.

References 6

• git.kernel.org https://git.kernel.org/stable/c/1522dc58bff87af79461b96d90ec122e9e726004
• git.kernel.org https://git.kernel.org/stable/c/58ecc165abdaed85447455e6dc396758e8c6f219
• git.kernel.org https://git.kernel.org/stable/c/9e12c58a5ece41be72157cef348576b135c9fc72
• git.kernel.org https://git.kernel.org/stable/c/c8fdf7feca77cd99e25ef0a1e9e72dfc83add8ef
• git.kernel.org https://git.kernel.org/stable/c/e19383e5dee5adbf3d19f3f210f440a88d1b7dde
• git.kernel.org https://git.kernel.org/stable/c/ed9de4ed39875706607fb08118a58344ae6c5f42

Remediation