A flaw was found in the Linux kernel where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who is able to hot plug at least two devices of this class can cause a a use-after-free situation.
This affects the generic character device layer devices and not a specific device driver.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1783563]
This was fixed for Fedora with the 5.2.10 stable kernel updates.
While I do understand the race condition that leads to this, it would be somewhat difficult to exploit this flaw with physical access. Timing physical control of the removal of devices to this level would be harder than you think (I tried ~100 times and maybe I'm just bad at it).
The other, and more likely method would be using USB over ip ( https://www.kernel.org/doc/readme/tools-usb-usbip-README ), which I had also attempted ~65,000 times, it didnt trigger on my system even after trying multiple different ways of forcing the race condition. Using this method required root access to attach/detach, with these permissions this attack vector is somewhat contrived.
I'm proposing this be fixed in relevant y streams, I dont think its usable enough as an attack vector for z stream immediate fix.
Many Character devices can trigger this flaw as they leverage the lower levels of the USB subsystem.
The safest method that I have found would be to disable USB ports that are able to be attacked
using this method, disable them first by disallowing them from waking up from low-power states
with the command (Replace X with the port number available).
echo disabled >> /sys/bus/usb/devices/usbX/power/wakeup
The system must also disable the specific ports power after with the command:
echo suspend | sudo tee /sys/bus/usb/devices/usbX/power/level
This change not persist through system reboots and must be applied at each reboot to be effective.