CVE-2023-54277

In the Linux kernel, the following vulnerability has been resolved:

fbdev: udlfb: Fix endpoint check

The syzbot fuzzer detected a problem in the udlfb driver, caused by an endpoint not having the expected type:

usb 1-1: Read EDID byte 0 failed: -71 usb 1-1: Unable to get valid EDID from device/display ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usbsubmiturb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usbhubwq hubevent RIP: 0010:usbsubmiturb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> dlfbsubmiturb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980 dlfbsetvideomode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfbopssetpar+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111 dlfbusb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743

The current approach for this issue failed to catch the problem because it only checks for the existence of a bulk-OUT endpoint; it doesn't check whether this endpoint is the one that the driver will actually use.

We can fix the problem by instead checking that the endpoint used by the driver does exist and is bulk-OUT.