Linux Kernel Use-After-Free Vulnerability in Simple Framebuffer Driver on Apple M2 Mac Mini

A use-after-free vulnerability has been identified in the Linux kernel's simple framebuffer (simplefb) driver, specifically in the handling of power domains. This issue arises because the cleanup for power domains cannot be managed by the device resource (devres) system, as the necessary data structure is allocated in a way that is not compatible with devres management. The vulnerability has been observed in Linux kernel version 6.16.3, in the downstream Asahi kernel, while using Debian's kernel configuration. During the removal of conflicting devices, the kernel consistently dereferenced an invalid pointer, leading to a memory access error.

Impact

Exploitation of this vulnerability causes a use-after-free error, where the kernel attempts to access memory that has already been freed. This can lead to undefined behavior, including potential arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by using a Linux kernel version 6.16.3-based kernel with the Asahi patch, on an Apple Mac Mini M2. When the simple framebuffer driver is loaded and then removed, the improper management of power domain cleanup leads to the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is available in the Linux stable tree.