Linux Kernel HID Asus UAF Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's HID Asus driver. This issue arises when the HID input layer is set up for a device, specifically an ASUS ROG N-Key keyboard, using a default connect mask. During this process, the driver's input capabilities may not be properly initialized, leading to a situation where the input device is erroneously freed. A malicious HID device can exploit this by sending a specially crafted descriptor that skips necessary configuration, causing the driver to release the input device prematurely. Subsequently, the name of the freed device can be overwritten, creating a potential security risk.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where freed memory is accessed, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by connecting a malicious HID device, such as an ASUS ROG N-Key keyboard, to a system running an affected version of the Linux kernel. The device must present a specially crafted descriptor that exploits the driver's input handling, particularly by using the HID_UP_UNDEFINED Usage Page, which is ignored during normal processing. This can be done by creating a HID report that includes undefined usage data, causing the driver to skip essential configuration steps and ultimately freeing the input device incorrectly.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.