Linux Kernel Vidtv Bridge Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's vidtv bridge driver, specifically within the function vidtv_bridge_dvb_init(). This issue arises from improper error handling, which leads to memory being freed while it is still in use. The vulnerability was detected by the Kernel Address Sanitizer (KASAN), which reported a use-after-free error in the dvb_dmxdev_release() function, part of the dvb_core module. The vulnerability occurs when the vidtv_bridge_dvb_init() function encounters an error and attempts to release resources, causing a double-free scenario. Additionally, the error handling loop can lead to out-of-bounds access under certain conditions.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption. Such conditions are often exploitable, allowing for arbitrary code execution or causing a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by loading the vidtv bridge driver in a Linux kernel environment where the error handling in the initialization function is triggered. This can be done by simulating a failure in the driver's frontend, tuner, or demodulator probes, which will cause the driver to improperly release resources, leading to the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.