Linux Kernel ALSA USB-Audio Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's ALSA USB-audio subsystem. When the function 'snd_usb_create_mixer()' fails, the subsequent call to 'snd_usb_mixer_free()' incorrectly frees the 'id_elems' memory. However, the mixer controls that were already added to the sound card still reference this freed memory. This discrepancy leads to a use-after-free read when 'snd_card_register()' is executed, as the OSS mixer layer attempts to access the callbacks of the affected controls. The vulnerability arises because the 'snd_usb_mixer_free()' function does not properly unregister the mixer controls before freeing the associated memory, creating a risk of accessing invalid memory locations.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where the system attempts to read memory that has already been freed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, create a USB audio device that fails during the mixer creation process. The 'snd_usb_create_mixer()' function should be modified to simulate a failure. Once the mixer creation fails, the 'snd_usb_mixer_free()' function will be called, freeing the 'id_elems' memory. However, the controls that were added to the sound card will still reference the now-freed memory. When 'snd_card_register()' is called, the OSS mixer layer will trigger the callbacks for the affected controls, resulting in a use-after-free read.

Remediation

The vulnerability has been fixed by modifying the 'snd_usb_mixer_free()' function to call 'snd_ctl_remove()' for all mixer controls before freeing the 'id_elems' memory. This change ensures that the controls are properly unregistered, preventing any references to freed memory.