Linux Kernel USBTMC Driver Use-After-Free Vulnerability in usbtmc_release Function

A use-after-free vulnerability has been identified in the USB Test and Measurement Class (USBTMC) driver of the Linux kernel. This issue arises in the usbtmc_release function, where pending anchored USB Request Blocks (URBs) are not properly flushed or terminated before the function completes. This oversight can lead to use-after-free errors, particularly in the Host Controller Driver (HCD) giveback path. The vulnerability has been addressed by modifying the usbtmc_release function to include a call to usbtmc_draw_down, ensuring that anchored URBs are allowed to complete before the function exits.

Impact

The vulnerability can be exploited to cause a use-after-free condition, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by releasing a file handle associated with a USBTMC device that has pending anchored URBs. This can be done by calling the usbtmc_release function without first flushing or terminating the anchored URBs, allowing them to be processed in the HCD giveback path while the associated memory has already been freed.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.