Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function.
The function currently frees the driver_data directly within the loop
that destroys the HID devices, which can lead to accessing freed memory.
Specifically, hid_destroy_device() uses driver_data when it calls
hid_ishtp_set_feature() to power off the sensor, so freeing
driver_data beforehand can result in accessing invalid memory.
This patch resolves the issue by storing the driver_data in a temporary
variable before calling hid_destroy_device(), and then freeing the
driver_data after the device is destroyed.
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
- Affected packages:
- kernel @ 3.10.0 (+14 more)
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function.
The function currently frees the driver_data directly within the loop
that destroys the HID devices, which can lead to accessing freed memory.
Specifically, hid_destroy_device() uses driver_data when it calls
hid_ishtp_set_feature() to power off the sensor, so freeing
driver_data beforehand can result in accessing invalid memory.
This patch resolves the issue by storing the driver_data in a temporary
variable before calling hid_destroy_device(), and then freeing the
driver_data after the device is destroyed.