Linux Kernel HID Gadget Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's USB HID gadget driver. This issue arises because the lifetime of the embedded character device structure is not properly linked to the enclosing HID gadget structure. As a result, if a device file is kept open while the gadget is being deleted, it can lead to a use-after-free condition. The vulnerability can be reproduced using example programs from libusbgx, or by directly manipulating the gadget via configfs.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by opening the device file corresponding to the HID gadget (e.g., /dev/hidg0) and keeping it open while removing the gadget using the 'gadget-vid-pid-remove' command. This sequence creates a use-after-free condition by disconnecting the gadget before the open device file is closed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.