Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's USB gadget HID function (f_hid). It occurs when setting up and binding an HID gadget, opening /dev/hidg0, using the file descriptor in EPOLL_CTL_ADD, unbinding and rebinding the USB Device Controller (UDC), and then using the file descriptor in EPOLL_CTL_DEL.

The root cause is that the wait queues registered by f_hid via poll_wait were initialized inside the bind function (hidg_bind) using init_waitqueue_head. This re-initialization happened while there were still items in the queues, leading to list_del corruption when CONFIG_DEBUG_LIST was enabled.

The fix involved moving the initialization of these queues from the bind function to the allocation function (hidg_alloc), ensuring the queues' lifetimes match the function instance and preventing corruption.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause list corruption within the kernel when using HID gadget devices under specific conditions involving binding and unbinding the USB Device Controller and manipulating file descriptors with epoll.

Such corruption may lead to kernel instability, crashes, or unpredictable behavior of USB HID gadgets, potentially affecting system reliability and security.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by moving the initialization of certain lists and spinlocks from the bind function to the alloc function in the Linux kernel's HID gadget driver. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Specifically, ensure that your kernel version includes the patch that moves the initialization of wait queues from hidg_bind to hidg_alloc, preventing list_del corruption when using EPOLL_CTL_ADD and EPOLL_CTL_DEL on /dev/hidg0 file descriptors.

Useful 0 Not Useful 0