Linux Kernel UCSI Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's USB Type-C UCSI driver for Huawei devices. This issue arises because the driver's cleanup function does not properly cancel scheduled work, leading to a race condition. Specifically, the UCSI and associated structures can be freed while a delayed work task is still pending or executing, creating a window where the freed memory can be accessed. The vulnerability can be easily reproduced, as the race condition remains open for three seconds.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for memory corruption and potential arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading the UCSI driver for Huawei devices, which schedules a delayed work task. If the driver is removed without canceling this task, the UCSI and associated structures are freed while the task may still be executing or pending, leading to a use-after-free condition. This can be observed using the Kernel Address Sanitizer (KASAN), which will report the use-after-free error.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.