Espressif USB Host HID Driver Use-After-Free Vulnerability Allowing Memory Corruption

A use-after-free vulnerability has been identified in the Espressif USB Host HID driver, specifically in versions prior to 1.1.0. The issue arises in the function 'usb_class_request_get_descriptor()', which improperly handles oversized HID Report Descriptors. When such a descriptor is requested, the function frees and reallocates the control transfer buffer but continues to use the old pointer, leading to a use-after-free condition. This flaw can be exploited by an attacker to overwrite freed memory, potentially causing arbitrary memory corruption and allowing code execution.

Impact

Exploitation of this vulnerability can lead to arbitrary memory corruption in the USB host task, with the possibility of executing arbitrary code.

Reproduction

The vulnerability can be reproduced by connecting a crafted HID device that advertises an excessively large Report Descriptor length. During the enumeration process, the host will request the descriptor using the inflated length, triggering the use-after-free condition. This can be automated with a test case that mocks a HID device with a large report descriptor, such as 32KB.

Remediation

Users can upgrade to Espressif USB Host HID driver version 1.1.0 or later, where this vulnerability has been fixed.