Linux Kernel Wi-Fi AR5523 Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Wi-Fi AR5523 driver. This issue arises in the 'ar5523_cmd' function, where a command timeout can lead to the premature release of a device structure. Consequently, the 'ar5523_cmd_tx_cb' callback may attempt to access this freed memory, causing a use-after-free condition. The vulnerability was reported by syzkaller, which provided a stack trace indicating the memory access issue.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a freed memory area is accessed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering a command timeout in the 'ar5523_cmd' function while the 'ar5523_cmd_tx_cb' callback is still processing. This can be done by sending a command that takes longer than the expected timeout period, causing the 'ar5523_cmd' function to time out and release the device structure before the callback has finished processing.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. The patch is available in the Linux kernel stable tree.