Linux Kernel VESA Framebuffer Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's VESA framebuffer (vesafb) driver. This issue arises because the driver improperly manages the cleanup of framebuffer information. The vulnerability occurs when the .fb_destroy callback is executed after the .remove callback, leading to the .fb_destroy function accessing a pointer that has already been freed. Although a recent commit aimed to address this by ensuring the cleanup occurs in the correct order, it overlooked a scenario where .fb_destroy could be called before .remove, particularly if the framebuffer device is not in use. In such cases, the framebuffer information is freed when unregister_framebuffer() is called, leaving the pointer invalid when accessed in vesafb_remove().

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.