Linux Kernel Mediatek DRM Component Unbind Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of Mediatek DRM components during the unbinding process. This issue arises from a reference imbalance created by a recent change that addressed device reference leaks but inadvertently reintroduced a partial fix related to component sub-driver management. As a result, failed component bindings and unbindings can lead to dangling references, potentially allowing for exploitation.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a program continues to use a memory reference after it has been freed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a scenario where a Mediatek DRM component fails to bind properly, leaving behind a dangling reference. This can be done by triggering a binding failure in the component's driver, which will cause the unbinding process to incorrectly manage device references. The specific conditions for such a failure would depend on the particularities of the Mediatek DRM implementation and the devices involved.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patch can be downloaded from the Linux kernel Git repository.