Linux Kernel Intel ISHTP HID Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Intel ISHTP HID driver within the Linux kernel. This issue arises during the 'rmmod' operation, specifically in the 'hid_ishtp_cl_remove()' function. The vulnerability occurs because 'hid_ishtp_cl_deinit()' is called before 'ishtp_hid_remove()', leading to the potential access of freed memory or resources. The problem is exacerbated by the fact that 'ishtp_hid_remove()' is a HID-level power-off operation, which should precede the ISHTP-level disconnection. The vulnerability has been addressed by reordering the function calls, ensuring 'ishtp_hid_remove()' is executed before 'hid_ishtp_cl_deinit()'.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, where freed memory is accessed, potentially causing undefined behavior in the kernel.