Linux Kernel XC5000 Tuner Use-After-Free Vulnerability in Release Function

A use-after-free vulnerability has been identified in the Linux kernel's media tuner XC5000 driver. The issue arises in the 'xc5000_release' function, where the code improperly uses 'cancel_delayed_work' to stop a delayed work item. This approach does not ensure that the work item has fully completed before the associated memory is freed. As a result, 'xc5000_release' can release the 'xc5000_priv' structure while a callback is still active, leading to a race condition. The vulnerability was discovered through static analysis and has been addressed by replacing 'cancel_delayed_work' with 'cancel_delayed_work_sync' to ensure proper synchronization before memory deallocation.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering the 'xc5000_release' function while the 'timer_sleep' delayed work item is still active. This can be done by initiating a release process that cancels the delayed work without waiting for it to complete, creating a race condition that the vulnerability exploits.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux Kernel Archives.