Linux Kernel ALPS Input Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel ALPS input driver. This issue arises in versions of the Linux kernel prior to the latest stable release. The vulnerability is triggered by a race condition involving the 'dev3_register_work' delayed work item, which is scheduled after the first bare PS/2 packet is received from an external PS/2 device connected to the ALPS touchpad. During the disconnection of the device, the 'psmouse_disconnect()' function calls 'flush_workqueue()' to complete the 'dev3_register_work'. However, 'flush_workqueue()' only waits for work items that were queued before its invocation, allowing 'dev3_register_work' to be scheduled after the flush operation has completed. This oversight can lead to the 'dev3_register_work' being executed after the associated data has been freed, causing a use-after-free condition.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by connecting an external PS/2 device to a system running an affected version of the Linux kernel. Once the device is connected, the 'dev3_register_work' item is scheduled. Afterward, the device can be detached, which triggers the 'psmouse_disconnect()' function. However, because 'flush_workqueue()' only waits for work items queued before its invocation, the 'dev3_register_work' can still be executed after the disconnection process has completed, leading to a use-after-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability. The patch for this issue is included in the official Linux kernel repositories.