Linux Kernel USB Gadget Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the USB gadget component of the Linux kernel. This issue arises during the transition of USB configurations, particularly when switching from RNDIS to other settings. If the hardware fails to support the 'pullup' callback or encounters a rare fault, the absence of a proper callback can lead to a system panic by freeing memory that is still in use. This vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a system panic due to a use-after-free condition, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by disconnecting a USB gadget that is using the RNDIS function. This can be done by writing 'none' to the UDC entry of the USB gadget configuration, which triggers the disconnection process. If the hardware does not support the 'pullup' callback or if a low-probability fault occurs, the 'pullup' callback may fail. This failure causes the RNDIS function to be unregistered, leading to a use-after-free condition when the associated resources are accessed after being freed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.