Linux Kernel Renesas USBHS Driver Use-After-Free Vulnerability in Interrupt Service Routine

A use-after-free vulnerability has been identified in the Renesas USBHS driver of the Linux kernel. This issue arises in the 'usbhs_remove()' function, where the driver deallocates resources, including the pipe array, while the interrupt service routine (ISR) 'usbhs_interrupt' remains registered. If an interrupt occurs after 'usbhs_pipe_remove()' has been called but before the driver has completely unbound, the ISR could access freed memory, leading to a use-after-free condition. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could result in a use-after-free condition, potentially allowing for memory corruption or arbitrary code execution.

Reproduction

To reproduce this vulnerability, load the Renesas USBHS driver and ensure that the 'usbhs_interrupt' handler is registered. Then, trigger a device removal process that invokes 'usbhs_remove()' without first unbinding the driver completely. This will cause the interrupt to fire while the driver is still in the process of being removed, leading to the ISR accessing freed memory.

Remediation

The vulnerability has been addressed by modifying the 'usbhs_remove()' function to call 'devm_free_irq()' before freeing other resources. This change ensures that the interrupt handler is disabled and any ongoing ISR execution is completed before the pipe removal process begins.