Linux Kernel Power-Z Driver Use-After-Free Vulnerability in USB Disconnect Handling

A use-after-free vulnerability has been identified in the Linux kernel's Power-Z driver within the hardware monitoring (hwmon) subsystem. This issue arises when the USB disconnect handler frees a USB Request Block (URB) and releases a mutex, allowing a subsequent read operation to access the freed URB pointer. The vulnerability affects the Linux kernel stable tree, specifically in versions prior to the latest patch. The root cause lies in the improper management of the URB lifecycle during USB disconnection, which can be exploited by manipulating the timing of disconnect and read operations.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a freed memory resource is accessed, potentially causing memory corruption or allowing arbitrary code execution.

Reproduction

To reproduce this vulnerability, connect a USB device that uses the Power-Z driver. After the device is disconnected, initiate a read operation while the USB disconnect handler is still processing. This can be done by manually triggering the read operation shortly after disconnection, before the driver has completed its cleanup process.

Remediation

Users can apply the latest patch available in the Linux kernel stable repository to address this vulnerability. Instructions for downloading the patched version can be found in the Linux kernel documentation.