Linux Kernel ACPICA Component Use-After-Free Vulnerability in ACPI Method Handling

A use-after-free vulnerability has been identified in the Linux kernel's ACPICA component, specifically within the ACPI method handling. This issue arises in the function 'acpi_ps_parse_aml()' following a failed invocation of 'acpi_ds_call_control_method()'. The problem, reported by KASAN, stems from the 'next_walk_state' being pushed to the thread by 'acpi_ds_create_walk_state()' but not popped before an error occurs, leading to an incorrect walk state being returned. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to cause memory corruption or potentially execute arbitrary code.

Reproduction

The vulnerability can be reproduced by invoking an ACPI control method that triggers an error, without properly managing the walk state. This can be done by manipulating ACPI methods in a way that causes 'acpi_ds_call_control_method()' to fail, while ensuring that 'next_walk_state' is not popped from the thread, thereby creating a use-after-free scenario when 'acpi_ps_parse_aml()' is called.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.