Linux Kernel USB MOST Driver Use-After-Free Vulnerability in hdm_disconnect Function

A use-after-free vulnerability has been identified in the Linux kernel's USB MOST (Media Oriented Systems Transport) driver, specifically within the hdm_disconnect function. This issue arises when hdm_disconnect calls most_deregister_interface, which unregistered the MOST interface device. If this action removes the last reference to the device, the device core may immediately invoke release_mdev while hdm_disconnect is still processing. The original implementation also improperly managed memory by freeing several allocations owned by the MOST device within hdm_disconnect, followed by additional put_device calls. This mismanagement created a potential for use-after-free or double-free errors, depending on the order of reference count updates. The vulnerability has been addressed by reorganizing the code to ensure that mdev-owned allocations are freed in release_mdev, synchronizing the memory management with the actual device lifecycle, and eliminating redundant put_device calls in hdm_disconnect.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where the memory is freed while still in use, potentially causing instability or allowing arbitrary code execution.

Reproduction

The vulnerability can be reproduced by disconnecting a USB device that uses the MOST interface while the system is actively processing related data. This can be done by physically unplugging the device or by using software that simulates a disconnection, such as a USB management tool that removes devices from the MOST bus. The timing of the disconnection is crucial; it must occur before the hdm_disconnect function has completed its execution, creating a race condition that the vulnerability exploits.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website or through the package management system of the Linux distribution in use.