Linux Kernel Roccat HID Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel Roccat HID driver. The issue arises in the 'roccat_report_event' function, which processes the 'device->readers' list without proper synchronization. This oversight allows a concurrent 'roccat_release' function to remove and free a reader while it is still being used, leading to a use-after-free condition. The vulnerability affects the Linux kernel's stable group.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service.

Reproduction

The vulnerability can be reproduced by invoking the 'roccat_report_event' function while simultaneously calling 'roccat_release' on the same device. This can be achieved by creating a scenario where 'roccat_release' removes a reader from the 'device->readers' list while 'roccat_report_event' is still processing it, without the necessary locks to prevent such interference.

Remediation

The vulnerability has been addressed by modifying the 'roccat_report_event' function to include mutex locks around the traversal of the 'device->readers' list. Users should update to the latest version of the Linux kernel where this fix has been applied.