Linux Kernel USB ULPI Double Free Vulnerability in Interface Registration

A double free vulnerability has been identified in the USB ULPI (Universal Land Interface) driver of the Linux kernel. This issue arises in the 'ulpi_register_interface()' function when 'device_register()' fails. The 'ulpi_register()' function then calls 'put_device()' on 'ulpi->dev', triggering the device release callback 'ulpi_dev_release()', which drops the OF node reference and frees 'ulpi'. However, the current error handling in 'ulpi_register_interface()' calls 'kfree(ulpi)' again, leading to a double free situation. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a double free condition, which can lead to memory corruption. Such memory corruption vulnerabilities can often be exploited to execute arbitrary code or cause a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, attempt to register a USB ULPI interface while the 'device_register()' function is configured to fail. This will trigger the error path in 'ulpi_register_interface()', where the double free occurs.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.