Linux Kernel Thunderbolt Driver Use-After-Free Vulnerability in DisplayPort Handling

A use-after-free vulnerability has been identified in the Linux kernel's Thunderbolt driver, specifically in the management of DisplayPort tunnels. This issue arises because the function 'tb_dp_dprx_stop()' cancels a delayed work item without ensuring that it has fully completed, creating a race condition. As a result, the 'tb_tunnel' object can be deallocated while the delayed work is still active, leading to a use-after-free scenario. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by activating a DisplayPort tunnel, which queues a delayed work item. If the tunnel is then deactivated and freed while the delayed work is still pending, the work item will attempt to access the freed memory, causing a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the Linux Kernel Archives.