Linux Kernel Use-After-Free Vulnerability in USB Siano Driver

A use-after-free vulnerability has been identified in the Linux kernel's USB Siano driver. This issue arises in versions of the kernel prior to 6.2.0, when the 'do_submit_urb' function is called. The vulnerability has been reported by the Kernel Address Sanitizer (KASan), indicating that a freed memory address was accessed, leading to a general protection fault and a kernel panic. The problem occurs when a Siano device is plugged in, causing the driver to initialize and potentially deallocate resources while some operations are still in progress, creating a race condition.

Impact

Exploitation of this vulnerability causes a kernel panic, abruptly terminating all processes and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, connect a Siano USB device to a system running an affected version of the Linux kernel. The device will trigger the Siano driver, which will attempt to initialize the device. If the initialization fails, the driver will deallocate the resources. However, if there are still pending operations that have not completed, this can lead to a use-after-free condition. The KASan tool will report the use-after-free error, indicating that the vulnerability has been successfully reproduced.

Remediation

Users can upgrade to Linux kernel version 6.2.0 or later, where this vulnerability has been fixed.