Linux Kernel USB Gadget Use-After-Free Vulnerability in Uevent Handling

A use-after-free vulnerability has been identified in the Linux kernel's USB gadget subsystem. This issue arises in the 'usb_udc_uevent' function, where a race condition between uevent callbacks and the unregistration of gadget drivers can lead to the improper handling of memory. The vulnerability was discovered by the syzbot fuzzer, which highlighted that the 'usb_udc_uevent' function accesses the 'udc->driver' field without holding the necessary mutex lock. This oversight can allow the function to read a deallocated driver structure, causing a use-after-free condition. The vulnerability affects Linux kernel versions prior to 5.19.0-rc4-next-20220628-syzkaller.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability. The specific commit that resolves this issue is available in the Linux kernel's official Git repository.