Linux Kernel B2C2 FlexCop PCI Use-After-Free Vulnerability in IRQ Work Handling

A use-after-free vulnerability has been identified in the Linux kernel's handling of B2C2 FlexCop PCI devices. The issue arises in the 'flexcop_pci_remove' function, where the code cancels a delayed work item without ensuring that it has fully completed. This creates a race condition, allowing the removal function to free a device structure while the work item is still active, leading to a use-after-free scenario. The vulnerability has been confirmed by a Kernel Address Sanitizer (KASAN) report, which detected the use-after-free condition as the delayed work callback attempted to access a freed device structure.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for potential arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by simulating a B2C2 FlexCop PCI device in QEMU. Introduce artificial delays in the 'flexcop_pci_irq_check_work' function to increase the likelihood of triggering the race condition. During the delay, remove the device, which will cause the 'flexcop_pci_remove' function to free the device structure while the work item is still trying to access it.

Remediation

The vulnerability has been fixed by replacing 'cancel_delayed_work()' with 'cancel_delayed_work_sync()' in the 'flexcop_pci_remove()' function. This change ensures that the delayed work item is properly canceled and any executing work has finished before the device memory is deallocated.