Linux Kernel USB Idmouse Uninitialized Memory Vulnerability in Image Processing

A vulnerability has been identified in the Linux kernel's USB idmouse driver, specifically within the image processing function 'idmouse_create_image'. When the function 'ftip_command' fails, the process jumps to a reset label, leaving the 'bulk_in_buffer' data uninitialized. This oversight causes the subsequent validity check for the image to reference uninitialized memory, leading to a potential dereference issue. The vulnerability was discovered using Kernel Memory Sanitizer (KMSAN), indicating that only the kernel's compilation was tested.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, where the program attempts to access memory that has already been freed, potentially causing a crash or allowing for arbitrary code execution.

Reproduction

To reproduce this vulnerability, compile the Linux kernel with KMSAN enabled. Then, use a USB idmouse device that triggers a failure in the 'ftip_command' function during the image creation process. This will cause the driver to jump to the reset label, leaving the 'bulk_in_buffer' data uninitialized. When the validity check for the image is performed, it will attempt to access the uninitialized data, leading to a dereference error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.