Linux Kernel Dangling Pointer Vulnerability in UVC Video Driver

A vulnerability in the Linux kernel's UVC video driver allows for the creation of dangling pointers when asynchronous control operations are initiated. The driver copies a pointer to the file handle that started the operation, which is intended to be used later when the device completes the task. If the user closes the file descriptor before the operation is finished, the associated structure is freed, leaving a dangling pointer for each pending asynchronous control. The driver will then attempt to use these invalid pointers, potentially leading to undefined behavior. This issue has been addressed by cleaning up the dangling pointers during the file release process. To prevent performance penalties during normal operations, a counter has been introduced to manage the asynchronous control handling appropriately.

Impact

Exploitation of this vulnerability could lead to use-after-free conditions, where the driver accesses freed memory, potentially causing crashes or allowing for arbitrary code execution.