Google Nexus 6 f_usbnet Kernel Uninitialized Memory Leak Over USB

Aleph Research Advisory





Nexus 6

Vulnerable Version

Nexus 6 before build NBD90Z

Technical Details

Motorola’s f_usbnet kernel driver implements an Ethernet over USB gadget. This gadget can be enabled by a physical attacker, by rebooting the device into one of two special bootmodes: ‘BP-Tools’ or ‘Factory Mode’. The driver leaks 4-5 bytes of uninitialized kernel data for each frame it sends over USB, allowing an unauthenticated physical attacker to leak information out of the device.

The usb_ether_xmit function receives the socket buffer (skb) and queues it on the USB endpoint. The function adds another 4-5 bytes to the socket buffer ‘len’ field, in order to reserve space for the soon to be transmitted frame’s CRC. Since the function does not compute and set the CRC on the reserved space, the field is sent uninitialized (and may contain data of previous allocations) over the USB wire.

static int usb_ether_xmit(struct sk_buff *skb, struct net_device *dev) {
    struct usbnet_context *context = netdev_priv(dev);
    struct usb_request *req;
    unsigned long flags;
    unsigned len;
    int rc;
    req = usb_get_xmit_request(STOP_QUEUE, dev);
    /* Add 4 bytes CRC */
    skb->len += 4;

    /* ensure that we end with a short packet */
    len = skb->len;
    if (!(len & 63)|| !(len & 511))
    req->context = skb;
    req->buf = skb->data;
    req->length = len;

    rc = usb_ep_queue(context->bulk_in, req, GFP_KERNEL);
    return 0;




External References