Linux Kernel Mediatek DRM Driver Dangling Pointer Vulnerability

A vulnerability in the Linux kernel's DRM driver for Mediatek SoCs has been addressed. The issue arose in the 'mtk_drm_bind()' function, where a failure would trigger 'drm_dev_put()', destroying the 'drm_device' object. However, a pointer to this object was still held in the private object, which could be passed to the DRM subsystem in 'mtk_drm_sys_prepare()' during a suspend, leading to a kernel panic. The vulnerability has been fixed by clearing the pointer in the error handling path before the device is released.

Impact

The vulnerability could have caused a kernel panic by dereferencing a dangling pointer, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by triggering a failure in the 'mtk_drm_bind()' function of the Mediatek DRM driver. This failure should occur after the private pointer to the 'drm_device' object has been set, but before it is cleared. If a suspend is then initiated, the 'mtk_drm_sys_prepare()' function will be called, passing the invalid pointer and causing a panic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.