CVE-2024-41035

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor<br /> <br /> Syzbot has identified a bug in usbcore (see the Closes: tag below)<br /> caused by our assumption that the reserved bits in an endpoint<br /> descriptor&amp;#39;s bEndpointAddress field will always be 0. As a result of<br /> the bug, the endpoint_is_duplicate() routine in config.c (and possibly<br /> other routines as well) may believe that two descriptors are for<br /> distinct endpoints, even though they have the same direction and<br /> endpoint number. This can lead to confusion, including the bug<br /> identified by syzbot (two descriptors with matching endpoint numbers<br /> and directions, where one was interrupt and the other was bulk).<br /> <br /> To fix the bug, we will clear the reserved bits in bEndpointAddress<br /> when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1<br /> specs say these bits are "Reserved, reset to zero".) This requires us<br /> to make a copy of the descriptor earlier in usb_parse_endpoint() and<br /> use the copy instead of the original when checking for duplicates.