[PATCH] USB: hub: add early rejection for corrupted or high-risk devices

[PATCH] USB: hub: add early rejection for corrupted or high-risk devices

[HackNOW Team]

[-- Attachment #1.1: Type: text/plain, Size: 2080 bytes --]

Hi all,

This patch adds a defensive security check during USB device
enumeration
in hub.c to reject devices with malformed descriptors or high-risk
device
classes such as Mass Storage devices potentially carrying threats.

Devices that fail the check are disconnected immediately and a kernel
alert is logged.

This is intended to reduce the attack surface at the kernel level and
prevent potentially malicious or corrupted USB devices from being
fully
initialized. It does not replace userspace malware detection or USB
authorization frameworks.

Patch details:

--- drivers/usb/core/hub.c
+++ drivers/usb/core/hub.c
@@ -5465,16 +5465,53 @@ static void hub_port_connect(struct usb_hub
*hub, int port1, u16 portstatus,
mutex_lock(hcd->address0_mutex);
retry_locked = true;
- /* reallocate for each attempt, since references
- * to the previous one can escape in various ways
- */
- udev = usb_alloc_dev(hdev, hdev->bus, port1);
- if (!udev) {
- dev_err(&port_dev->dev,
- "couldn't allocate usb_device\n");
- mutex_unlock(hcd->address0_mutex);
- usb_unlock_port(port_dev);
- goto done;
- }
+ /*
+ * Security check: detect and block suspicious or potentially
corrupted USB devices
+ */
+ if (!udev->descriptor || !udev->descriptor.bLength ||
udev->descriptor.bLength > USB_DT_DEVICE_SIZE) {
+ printk(KERN_ALERT "Banned from kernel: corrupted USB device detected
(VID: %04x, PID: %04x) on port %d\n",
+        udev->descriptor.idVendor, udev->descriptor.idProduct,
port1);
+ usb_free_dev(udev);
+ mutex_unlock(hcd->address0_mutex);
+ usb_unlock_port(port_dev);
+ return -ENODEV;
+ }
+
+ if (udev->descriptor.bDeviceClass == USB_CLASS_MASS_STORAGE) {
+ printk(KERN_ALERT "Banned from kernel: mass storage device
potentially infected (VID: %04x, PID: %04x) on port %d\n",
+        udev->descriptor.idVendor, udev->descriptor.idProduct,
port1);
+ usb_free_dev(udev);
+ mutex_unlock(hcd->address0_mutex);
+ usb_unlock_port(port_dev);
+ return -ENODEV;
+ }

Signed-off-by: HNOWFoundation <hacknow@ikmail.com>


[-- Attachment #1.2: Type: text/html, Size: 7493 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-USB-hub-add-early-rejection.patch --]
[-- Type: text/x-patch; name=0001-USB-hub-add-early-rejection.patch, Size: 1259 bytes --]

From 27230b93d463d1b548bd4d4ca0128eb69930691c Mon Sep 17 00:00:00 2001
From: HackNOW <hacknow@ikmail.com>
Date: Sat, 31 Jan 2026 15:47:24 +0100
Subject: [PATCH] USB: hub: add early rejection for corrupted or high-risk
 devices

This adds a defensive security check during device enumeration to reject
USB devices with malformed descriptors or high-risk device classes such as
Mass Storage devices potentially carrying threats.

Devices that fail the check are disconnected immediately and a kernel alert
is logged.
---
 drivers/usb/core/hub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 68d955184cfb..fad8ce14d9f8 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5488,7 +5488,7 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
                 * If a device is rejected, it is disconnected immediately and a security warning
                 * is logged to the kernel log.
                 *
-                * NOTE:
+                * NOTE: 
                 * This is a defensive mechanism and does not replace full userspace malware
                 * detection or USB authorization frameworks.
                 */
-- 
2.43.0

Re: [PATCH] USB: hub: add early rejection for corrupted or high-risk devices

[Alan Stern]

On Sat, Jan 31, 2026 at 05:34:34PM +0100, HackNOW Team wrote:
> Hi all,
> 
> This patch adds a defensive security check during USB device
> enumeration
> in hub.c to reject devices with malformed descriptors or high-risk
> device
> classes such as Mass Storage devices potentially carrying threats.
> 
> Devices that fail the check are disconnected immediately and a kernel
> alert is logged.
> 
> This is intended to reduce the attack surface at the kernel level and
> prevent potentially malicious or corrupted USB devices from being
> fully
> initialized. It does not replace userspace malware detection or USB
> authorization frameworks.

Pretty amusing stuff.  Thanks for the joke posting; I could use a good 
laugh today.

Alan Stern

Re: Fw: Re: [PATCH] USB: hub: add early rejection for corrupted or high-risk devices

[gregkh]

On Sat, Jan 31, 2026 at 06:57:12PM +0100, HackNOW Team wrote:
> Hi Alan,
> 
> I must respectfully disagree with your characterization. This patch is
> a serious defensive security improvement for the USB subsystem, not a
> joke. Its purpose is to prevent devices with malformed descriptors or
> high-risk classes from being fully initialized, thereby reducing the
> kernel attack surface.
> 
> I would appreciate feedback focused on the technical merits of the
> patch.

Sorry, but no, I agree with Alan, this is a funny post.  Next time you
might wish to wait for April 1 to send it to get the proper chuckle out
of us.

thanks,

greg k-h