CVE-2024-36895 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: uvc: use correct buffer size when parsing configfs lists

This commit fixes uvc gadget support on 32-bit platforms.

Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function __uvcg_iter_item_entries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator.

As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 11/22/2025

The vulnerability CVE-2024-36895 affects the Linux kernel's USB gadget subsystem, specifically within the UVC (USB Video Class) gadget implementation. This issue manifests as a buffer size calculation error that impacts the parsing of configfs lists used in USB video device configuration. The problem was introduced through a code refactoring that aimed to generalize helper functions for better reuse across different UVC attributes. The commit 0df28607c5cb modified the __uvcg_iter_item_entries() function to dynamically allocate heap memory for temporary buffers instead of using stack-allocated fixed-size buffers. However, this change was incomplete as the code failed to properly update the buffer size validation logic to use the computed variable size rather than the fixed sizeof() operator. This oversight created a critical discrepancy between 32-bit and 64-bit platform behavior, where the maximum item size was severely constrained on 32-bit systems.

The technical flaw stems from improper buffer management in the UVC gadget driver's configfs attribute parsing mechanism. When the system processes UVC configuration attributes through configfs, it needs to handle various data types including frame intervals that can contain multi-digit numeric values. On 64-bit platforms, the buffer size limitation resulted in a maximum item size of 7 bytes including null terminator, which coincidentally was sufficient for most cases despite being unnecessarily small. However, on 32-bit platforms, the buffer size was capped at only 3 bytes, which proved inadequate for handling typical UVC attributes like dwFrameInterval values. These frame interval values are expressed in 100-nanosecond units and commonly require 6-digit representations, such as 166666 for 60fps video streams, clearly exceeding the 3-byte limit. This fundamental buffer size constraint creates a potential for buffer overflow conditions when processing UVC configuration data, particularly on 32-bit architectures where the limitation is most severe.

The operational impact of this vulnerability is significant for embedded systems and devices that rely on Linux kernel USB gadget functionality for video streaming applications. Systems using 32-bit processors for USB video device emulation may experience complete failure of UVC gadget functionality when attempting to configure video streams with standard frame intervals. The vulnerability essentially breaks UVC gadget support on 32-bit platforms, rendering USB video devices non-functional for their intended purpose. This affects a wide range of devices including USB webcams, video capture devices, and embedded systems that implement USB video class functionality through the Linux kernel's USB gadget framework. The impact is particularly severe in industrial IoT applications, embedded video surveillance systems, and mobile devices that utilize 32-bit ARM processors for USB video streaming capabilities, where the complete failure of UVC gadget support can result in system downtime and loss of video functionality.

This vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and CWE-122, which covers heap-based buffer overflow scenarios. The issue also maps to ATT&CK technique T1059.007 for execution through kernel-level code manipulation and T1547.001 for privilege escalation through kernel vulnerabilities. The fix involves correcting the buffer size validation logic to properly utilize the computed variable buffer size instead of relying on the fixed sizeof() operator. This ensures that the temporary buffers allocated for UVC configfs attribute parsing can accommodate the full range of expected data sizes across all supported architectures. The resolution requires updating the __uvcg_iter_item_entries() function to maintain proper bounds checking using the actual allocated buffer size rather than the original fixed-size calculation. This change restores proper UVC gadget functionality on both 32-bit and 64-bit platforms, ensuring that USB video devices can properly configure and stream video data through the kernel's USB gadget framework. The fix demonstrates the critical importance of proper buffer management in kernel code and highlights how seemingly minor refactoring changes can introduce significant security and functionality issues in low-level system components.

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00234

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!