CVE-2022-25375: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-25375 was discovered in the Linux kernel's RNDIS USB gadget implementation. The vulnerability was reported on February 20, 2022, affecting the Linux kernel versions before 5.16.10. The issue exists in the drivers/usb/gadget/function/rndis.c file where the RNDIS USB gadget lacks validation of the size of the RNDISMSGSET command (NVD, MITRE).

The vulnerability stems from the RNDISMSGSET handler (rndissetresponse) which calls genndissetresp passing a buffer pointer offset by BufOffset + 8. The BufOffset variable is retrieved from the RNDIS message but not validated to respect buffer boundaries. By manipulating the four-byte InformationBufferOffset member of rndissetmsgtype, an attacker can offset the actual buffer by up to 0xffffffff bytes (OSS-Security).

The vulnerability allows attackers to obtain sensitive information from kernel memory. When exploited, attackers can extract up to 0xffffffff bytes of kernel space memory by two bytes at a time. While the process is relatively slow, it remains effective in extracting sensitive kernel data (GitHub-POC).

The vulnerability was patched in Linux kernel version 5.16.10 by adding size validation checks for the RNDISMSGSET command. The fix includes checking if BufLength exceeds RNDISMAXTOTALSIZE or if BufOffset + 8 is greater than or equal to RNDISMAXTOTALSIZE (Linux-Commit).