Linux Kernel Cros Ec Ishtp Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's ChromeOS EC ISHTP driver. This issue arises after the driver is unbound, as a kernel thread continues to access the device, leading to a crash. The driver fails to properly unregister the EC device, which should deactivate sub-devices in a synchronized manner.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to a crash of the affected system.

Reproduction

To reproduce this vulnerability, load the ChromeOS EC ISHTP driver and then unbind it. After unbinding, the kernel thread 'cros_ec_console_log_work' will still access the device, causing a use-after-free condition and a subsequent crash. This occurs because the driver does not unregister the EC device in the remove() function, which should shut down sub-devices synchronously.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can apply the latest updates from the Linux kernel stable tree to mitigate this issue.