Linux Kernel CDNS3 Gadget Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's CDNS3 USB gadget driver. This issue arises in the CDNSP gadget initialization and exit functions, where the gadget structure is freed before its associated endpoints. The endpoints, linked through the gadget structure's endpoint list, are left with dangling pointers when the gadget is freed first. This mismanagement leads to a use-after-free condition when the endpoints are later freed. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initializing a CDNSP gadget, which will free the gadget structure before its endpoints, creating dangling pointers. When the gadget is exited, the freed endpoints will reference the invalid memory, causing a use-after-free condition.

Remediation

The vulnerability has been addressed by modifying the USB gadget deletion process. The 'usb_del_gadget_udc' operation has been replaced with 'usb_del_gadget', followed by 'usb_put_gadget', after freeing the gadget's endpoints. This change ensures that the gadget structure is only released after its endpoints have been properly managed.