Linux Kernel VUB300 Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the VUB300 driver of the Linux kernel. This issue arises because the driver manages an explicit reference count for the controller and its associated data, allowing the last reference to be dropped after the driver is unbound. The vulnerability is exacerbated by the fact that the controller allocation is improperly device-managed, leading to potential memory access errors. Additionally, the driver's lifecycle is incorrectly linked to the parent USB device instead of the interface, which can cause memory leaks if the driver is unbound without physically disconnecting the device. The vulnerability affects Linux kernel versions 6.17 and later.

Impact

Exploitation of this vulnerability can lead to use-after-free conditions, causing memory corruption issues.

Reproduction

The vulnerability can be reproduced by loading the VUB300 driver, allowing it to manage the controller allocation through the device. Then, unbind the driver without physically disconnecting the USB device, which will drop the last reference while the controller is still in use, creating a use-after-free condition.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.