Linux Kernel HDMI and CVBS Encoder Memory Corruption Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of DRM bridges for HDMI and CVBS encoders, specifically in versions through 5.19.0-rc6. The issue arises because bridges added by the 'meson_encoder_hdmi_init' and 'meson_encoder_cvbs_init' functions were not removed when the modules were unloaded. This oversight left dangling references to freed memory, which, when the modules were loaded again, caused the system to access invalid memory locations. The problem was detected by KASAN, which reported a read of freed memory that had been previously allocated, indicating a memory corruption issue.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing memory corruption that can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by loading the 'meson' DRM driver module, which initializes HDMI and CVBS encoders. After the module is unloaded, the same functions are called again when the module is loaded back, without properly removing the bridges first. This process can be automated with a script that loads and unloads the module, triggering the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux documentation.