Linux Kernel ACPICA Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's ACPICA component, specifically within the 'acpi_ut_copy_ipackage_to_ipackage()' function. This vulnerability allows for memory corruption, as the 'acpi_operand_object' is improperly freed, leading to a double release when 'acpi_ut_copy_iobject_to_iobject()' is called. The issue was introduced in a previous commit that aimed to fix a memory leak, but instead created a scenario where objects could be accessed after they had been freed. The vulnerability was reported by KASAN, indicating a read of freed memory by the 'modprobe' task.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading a module that interacts with ACPI, such as 'modprobe', while the kernel is in a state that includes the vulnerable 'acpi_ut_copy_ipackage_to_ipackage()' function. This can be done by using a Linux kernel version that is affected by this vulnerability, such as 6.1.0-rc7.

Remediation

Users can upgrade to a patched version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is '01f2c2052ea50fb9a8ce12e4e83aed0267934ef0', which is available in the Linux kernel stable tree.