Linux Kernel Universal DVB Card Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Universal DVB card driver for the Linux kernel. This issue arises when the card is detaching, as the cleanup function 'netup_unidvb_dma_fini()' attempts to stop a timer using 'del_timer()'. However, if the timer handler 'netup_unidvb_dma_timeout()' is currently running, 'del_timer()' cannot effectively stop it, leading to a use-after-free condition. The vulnerability has been addressed by replacing 'del_timer()' with 'del_timer_sync()' to ensure the timer is properly stopped before it can be accessed again.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by modulating the 'tx_sim_timer' while the 'netup_unidvb_dma_fini()' function is processing. This can be achieved by triggering the 'netup_unidvb_finidev()' function, which will start the timer. After a short delay, 'netup_unidvb_dma_fini()' can be called, which will attempt to stop the 'dma->timeout' timer using 'del_timer()'. If the 'netup_unidvb_dma_timeout()' handler is still running, the timer will not be successfully stopped, creating a window for the use-after-free vulnerability to be exploited.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation.