Linux Kernel Use-After-Free Vulnerability in NFC PN533 Driver

A use-after-free vulnerability has been identified in the Linux kernel's NFC PN533 driver. This issue arises when the PN532 UART device is detached, as the 'pn532_uart_remove()' function does not properly delete the 'cmd_timeout' timer. This oversight can lead to a use-after-free scenario, where memory is freed while still being accessed. The vulnerability is triggered when the 'pn532_uart_send_frame' function is called concurrently with the removal process, allowing for the use of freed memory.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by detaching the PN532 UART device while the 'cmd_timeout' timer is still active. This can be done by calling the 'pn532_uart_remove()' function without first stopping the timer, leading to a race condition where the timer tries to access memory that has already been freed.

Remediation

The vulnerability has been addressed by adding a call to 'del_timer_sync()' in the 'pn532_uart_remove()' function, ensuring that the timeout timer is properly stopped before the associated memory is freed.