Linux Kernel HID Appletb Keyboard Component Use-After-Free Vulnerability Leading to Memory Corruption

A use-after-free vulnerability has been identified in the Linux kernel's HID appletb keyboard component. This issue arises in the 'appletb_kbd_probe' function, where an input handler is initialized and registered with the input core. If a probe failure occurs after the handler is registered, the associated memory is freed, but the handler remains in the 'input_handler_list', creating a dangling pointer. This corruption of the 'input_handler_list' can lead to memory issues when new input devices are connected, as the system traverses the corrupted list and attaches handlers, potentially causing further memory corruption or instability.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing memory corruption in the 'input_handler_list', which is crucial for managing input devices. This corruption can disrupt the normal handling of input devices, potentially causing instability or unexpected behavior in the system.

Reproduction

The vulnerability can be reproduced by plugging in a USB input device, such as a mouse, after a probe failure has occurred in the HID appletb keyboard component. The 'input_register_handler' function will have been called, but the handler will not have been properly unregistered due to the failure, leaving a dangling pointer in the 'input_handler_list'. When the new input device is registered, the system will traverse the corrupted list, leading to memory corruption.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this vulnerability has been patched.