Linux Kernel HID Appletb-KBD Slab Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's HID Appletb keyboard driver. The issue arises in the 'appletb_kbd_probe' function, where a structure to hold touch bar keyboard data is allocated using 'devm_kzalloc'. If the function 'backlight_device_get_by_name' successfully finds a backlight device named 'appletb_backlight', a timer is set up to run after 60 seconds. However, if the probe fails after the timer is armed, the allocated structure is freed while the timer remains active. This leads to the timer attempting to access the now-freed memory, causing a use-after-free condition. The vulnerability has been addressed by ensuring the timer is properly disarmed on failure paths before the memory is freed.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where freed memory is accessed, potentially allowing for arbitrary code execution or memory corruption.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.