Linux Kernel HID BPF Device Destruction Handling Vulnerability

A vulnerability in the Linux kernel's Human Interface Device (HID) Bluetooth Performance Framework (BPF) implementation can lead to a use-after-free bug. This issue arises when certain HID devices with active LED indicators are unplugged, causing a cleaned-up SRCU (Synchronize Read Copy Update) structure to be accessed improperly. The vulnerability occurs if the HID low-level driver does not implement the output report request, as seen with the Logitech Unifying Receiver. When these conditions are met, the HID input worker scheduled after the device destruction can inadvertently access invalid memory, potentially leading to undefined behavior or system instability.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where memory that has been freed is accessed, leading to potential memory corruption. On architectures like x86, this can cause the system to access non-existent pages, creating a risk of crashes or other erratic behavior. The vulnerability also disrupts the HID BPF output report dispatching, which could interfere with normal device operations.

Reproduction

To reproduce this vulnerability, disconnect a HID device that has active LED indicators while using a driver that does not implement the output report request, such as the Logitech Unifying Receiver. This will trigger the issue by causing the HID input worker to access the device's SRCU structure after it has been destroyed, leading to a use-after-free condition.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the HID BPF dispatch functions to check if the device has been marked as destroyed, preventing the worker from accessing invalid memory. Users should upgrade to the latest stable version of the Linux kernel where this fix is applied.