Linux Kernel DRM/Radeon Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's DRM/Radeon driver. This issue arises because the driver's main structure allocation was changed to use a managed allocation function, but the driver still manually releases the structure in error handling and removal paths. As a result, when the driver fails to probe, it can lead to a reference count underflow and a use-after-free condition. This vulnerability affects the Linux kernel DRM/Radeon driver in versions prior to the latest patch.

Impact

Exploitation of this vulnerability causes a reference count underflow, leading to a use-after-free condition. Such conditions can often be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, load the DRM/Radeon driver on a system with a PCI device that the driver can probe. Introduce a condition that causes the probe to fail, such as using a device that is not supported or is malfunctioning. The driver will attempt to release its resources, but because of the improper management of the device's lifecycle, this will create a use-after-free situation. The resulting warning about the reference count underflow will indicate that the vulnerability has been triggered.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for updating the kernel can be found in the documentation for the specific Linux distribution in use.