CVE-2022-50568

Vulnerability

The Linux kernel's USB gadget function driver for HID (f_hid) contains a lifetime management flaw. The embedded struct cdev (character device) does not have its lifetime correctly tied to the enclosing struct f_hidg. This leads to a use-after-free condition if /dev/hidgN is held open while the USB gadget is deleted [1][2][3].

Exploitation

An attacker with local access to the system can exploit this by opening the /dev/hidgN device file (e.g., via exec 3<> /dev/hidg0) and then triggering the removal of the USB gadget (e.g., via gadget-vid-pid-remove). No special privileges beyond the ability to open the device file and trigger gadget removal are required, though the attacker must be able to interact with the USB gadget subsystem [1][2][3].

Impact

Successful exploitation results in a use-after-free, which can lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context. The vulnerability is rated with a CVSS score of 7.8 (High) [1][2][3].

Mitigation

The fix involves pulling the existing device object into struct f_hidg and using the cdev_device_{add,del}() helpers to properly tie the character device's lifetime to the gadget function. This ensures that the device object's lifetime matches struct f_hidg, preventing the use-after-free. The patch has been applied to the stable kernel tree [1][2][3].