In the Linux kernel, the following vulnerability has been resolved:
ALSA: 6fire: fix use-after-free on disconnect
In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)). When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously. The subsequent
chip->card = NULL write then hits freed slab memory.
Call trace:
usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
...
hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953
Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect(). The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.
A use-after-free vulnerability exists in the Linux kernel's ALSA 6fire USB audio driver during device disconnection. When a USB 6fire audio device is disconnected, improper memory management in the chip abort function causes access to freed memory, potentially leading to kernel crashes or privilege escalation. This affects systems with 6fire USB audio devices connected, particularly in professional audio and multimedia environments.
Immediate Actions:
1. Identify systems with 6fire USB audio devices connected by checking: lsusb | grep -i 6fire or dmesg | grep 6fire
2. Disconnect 6fire USB audio devices from affected systems immediately if not critical to operations
3. Restrict physical USB port access to prevent unauthorized device connections
Patching Guidance:
1. Update Linux kernel to patched version (check your distribution's security advisories for specific kernel versions)
2. For RHEL/CentOS: yum update kernel
3. For Ubuntu/Debian: apt update && apt upgrade linux-image-generic
4. For SLES: zypper update kernel-default
5. Reboot systems after kernel update
Compensating Controls (if immediate patching not possible):
1. Disable USB audio device support: echo 'blacklist snd_usb_6fire' >> /etc/modprobe.d/blacklist.conf
2. Restrict USB device access via udev rules
3. Monitor system logs for audio device disconnection events
4. Implement kernel module signing and secure boot to prevent unauthorized module loading
Detection Rules:
1. Monitor kernel logs for: 'usb6fire_chip_disconnect' or 'use-after-free' messages
2. Alert on unexpected kernel panic/oops events
3. Track USB device connection/disconnection events: udevadm monitor --property
4. Monitor dmesg for ALSA-related errors: dmesg | grep -i alsa
الإجراءات الفورية:
1. تحديد الأنظمة التي تحتوي على أجهزة 6fire USB بالتحقق من: lsusb | grep -i 6fire أو dmesg | grep 6fire
2. قطع أجهزة صوت USB 6fire من الأنظمة المتأثرة فوراً إذا لم تكن حرجة للعمليات
3. تقييد الوصول المادي لمنافذ USB لمنع توصيل الأجهزة غير المصرح بها
توجيهات التصحيح:
1. تحديث نواة لينكس إلى الإصدار المصحح (تحقق من تنبيهات الأمان الخاصة بتوزيعتك)
2. لـ RHEL/CentOS: yum update kernel
3. لـ Ubuntu/Debian: apt update && apt upgrade linux-image-generic
4. لـ SLES: zypper update kernel-default
5. إعادة تشغيل الأنظمة بعد تحديث النواة
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل دعم جهاز صوت USB: echo 'blacklist snd_usb_6fire' >> /etc/modprobe.d/blacklist.conf
2. تقييد الوصول إلى جهاز USB عبر قواعد udev
3. مراقبة سجلات النظام لأحداث قطع الجهاز الصوتي
4. تنفيذ توقيع وحدة النواة والتمهيد الآمن
قواعد الكشف:
1. مراقبة سجلات النواة للبحث عن: 'usb6fire_chip_disconnect' أو رسائل 'use-after-free'
2. التنبيه على أحداث توقف النواة غير المتوقعة
3. تتبع أحداث توصيل/قطع جهاز USB: udevadm monitor --property
4. مراقبة dmesg للأخطاء المتعلقة بـ ALSA: dmesg | grep -i alsa