Linux Kernel Microchip Clock Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Microchip clock driver, specifically in the auxiliary device release callback. This issue arises because the auxiliary device is not properly dismantled in the correct sequence. If the 'auxiliary_device_add()' function fails, the release callback may be invoked twice, leading to a use-after-free condition. This vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by adding an auxiliary device using 'auxiliary_device_add()' and then causing this operation to fail. This will trigger the release callback to be called twice, creating a use-after-free situation. The timing of these operations is crucial, as the release callback must be invoked twice before the auxiliary device is properly uninitialized and freed.

Remediation

The vulnerability has been addressed by moving the 'auxiliary_device_uninit()' call to the unregister callback, ensuring that the device is properly cleaned up before being deleted. Users should update to the latest version of the Linux kernel where this fix has been applied.