Linux Kernel NFC NCI Device Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the NCI (NFC Controller Interface) device management. This vulnerability arises from a race condition created by the interaction between timers and workqueues, leading to concurrent access of freed memory. The issue can be triggered when an NCI device is detached while a command is still being processed, causing the cleanup routine to mistakenly believe that a timer has been properly detached. As a result, the timer can be reattached after it has been freed, creating a use-after-free scenario.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly be exploited to execute arbitrary code or cause a system crash.

Reproduction

The vulnerability can be reproduced by registering an NCI device and then quickly unregistering it while a command is being sent to the device. This can be done by opening the device, sending a reset command, and then closing the device before the command is fully processed. The race condition will cause the use-after-free vulnerability to trigger, as the device's cleanup routine will attempt to free memory that is still in use.