Norihiko Hama

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a use-after-free error in the Linux kernel's USB gadget functionality, specifically in the `f ncm` module. When the `ncm` function is working and the `usb0` interface is stopped for link down, `eth stop()` is called. If a USB transport error occurs in `usb ep enable()`, the `in ep` and/or `out ep` may not be enabled. As a result, `ncm disable()` is called to disable the `ncm` unbind, but `gether disconnect()` is never called since `in ep` is not enabled. This leads to the `ncm` object being released in `ncm unbind()` but the `dev->port usb` associated with `ncm->port` is not NULL. When the `ncm` bind is called again to recover the `netdev`, the `ncm` object is reallocated, but the `usb0` interface is already associated with the previous released `ncm` object. This can cause a use-after-free memory error when `eth start xmit()` is called. Technical details about exploitation include: - The `ncm disable()` function not calling `gether disconnect()` due to `in ep` not being enabled. - The `ncm` object being released in `ncm unbind()` but `dev->port usb` remaining associated with the released object. - The `ncm` object being reallocated when `ncm` bind is called again, but the `usb0` interface still being associated with the previous released `ncm` object. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.