Linux Kernel Use-After-Free Vulnerability in MEI Client Drivers

A use-after-free vulnerability has been identified in the Linux kernel's media IVSC drivers, specifically in the ACE and CSI submodules. The issue arises because the remove() function of both drivers fails to call mei_cldev_disable(), which is necessary to properly disconnect the MEI client from the device's file list. As a result, even after the client's memory is freed, it remains referenced in the file list. This flaw leads to a use-after-free condition when the mei_vsc_remove() function is executed during system shutdown, causing a crash. The vulnerability has been confirmed with a Kernel Address Sanitizer (KASAN) report, indicating a slab-use-after-free error.

Impact

Exploitation of this vulnerability causes a system crash due to a use-after-free error, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by building a Linux kernel with KASAN enabled, and then shutting down the system. This process will trigger the use-after-free condition in the affected drivers, as the missing mei_cldev_disable() calls allow freed memory to be accessed incorrectly.

Remediation

The vulnerability has been addressed in the Linux kernel stable tree. Users can upgrade to the latest version of the kernel to apply the fix.