2350583 – (CVE-2025-21835) CVE-2025-21835 kernel: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths

Bug 2350583 (CVE-2025-21835) - CVE-2025-21835 kernel: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths

Summary: CVE-2025-21835 kernel: usb: gadget: f_midi: fix MIDI Streaming descriptor len...

Keywords:
Status:	NEW
Alias:	CVE-2025-21835
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-07 10:01 UTC by OSIDB Bzimport
Modified:	2025-11-25 11:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-07 10:01:06 UTC

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_midi: fix MIDI Streaming descriptor lengths

While the MIDI jacks are configured correctly, and the MIDIStreaming
endpoint descriptors are filled with the correct information,
bNumEmbMIDIJack and bLength are set incorrectly in these descriptors.

This does not matter when the numbers of in and out ports are equal, but
when they differ the host will receive broken descriptors with
uninitialized stack memory leaking into the descriptor for whichever
value is smaller.

The precise meaning of "in" and "out" in the port counts is not clearly
defined and can be confusing.  But elsewhere the driver consistently
uses this to match the USB meaning of IN and OUT viewed from the host,
so that "in" ports send data to the host and "out" ports receive data
from it.

Comment 1 Michal Findra 2025-03-07 15:35:14 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025030704-CVE-2025-21835-7fab@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.