Linux Kernel HID Gadget Initialization Vulnerability

A vulnerability exists in the Linux kernel's HID gadget function, specifically in versions prior to the latest patch, where improper initialization of data structures can lead to corruption issues. This problem arises when the HID gadget is set up and bound, and then the USB Device Controller (UDC) is unbound and rebound while the gadget is still active. The issue is exacerbated when the kernel's debug list feature is enabled, as it can cause a corruption of the list management used by the event polling system. The root cause is the re-initialization of wait queues by the bind function, which disrupts the normal operation of the HID gadget. Exploiting this vulnerability can cause unexpected behavior in the HID gadget's operation, potentially leading to data loss or corruption.

Impact

The vulnerability can cause a corruption of the internal list management used by the event polling system, which can disrupt the normal operation of the HID gadget. This could lead to data loss or corruption, as the HID gadget may not function correctly after the UDC is rebound.

Reproduction

To reproduce this vulnerability, set up and bind an HID gadget. Open the device file corresponding to the HID gadget (e.g., /dev/hidg0) and add the file descriptor to an epoll instance using EPOLL_CTL_ADD. Then, unbind the UDC, rebind it, and use the file descriptor to remove the wait queue from the epoll instance with EPOLL_CTL_DEL. When CONFIG_DEBUG_LIST is enabled, this sequence of actions will trigger a list corruption error, indicating the presence of the vulnerability.

Remediation

The vulnerability has been addressed by moving the initialization of the HID gadget's spinlocks and wait queues from the bind function to the allocation function. Users should update to the latest version of the Linux kernel where this patch has been applied.