usb usbtmc URB Release UAF

Vulnerability analysis

Root Cause: The usbtmc_release() function fails to properly flush pending anchored URBs before releasing file resources. When a file handle is closed, any outstanding USB Request Blocks (URBs) that were anchored to that file's data structure remain active. These URBs can complete asynchronously after the file data structures have been freed, leading to use-after-free conditions when the USB Host Controller Driver (HCD) attempts to access the freed memory during URB completion callbacks.

Attack Surface: This vulnerability affects systems with USB Test and Measurement Class (USBTMC) devices connected. The attack surface is local, requiring physical access to connect a malicious USB device or the ability to trigger specific timing conditions during file handle closure. The vulnerability can be triggered by unplugging a USBTMC device or closing file handles at specific timing windows.

Fix Mechanism: The patch adds a call to usbtmc_draw_down(file_data) in the usbtmc_release() function before releasing the io_mutex. This function properly flushes or kills all anchored URBs associated with the file handle, ensuring they complete before the file data structures are freed. This prevents the HCD from accessing freed memory during asynchronous URB completion.