Linux Kernel Mediatek IOMMU Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the IOMMU driver for Mediatek devices within the Linux kernel. This issue arises because the driver improperly manages references to larb devices during the probing process. Specifically, it releases references too early, both after a successful lookup and in error situations. This mismanagement can lead to a use-after-free condition, particularly if a larb device has not yet been associated with its driver, causing the IOMMU driver's probe to be deferred. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to cause memory corruption or execute arbitrary code.

Reproduction

The vulnerability can be reproduced by loading the Mediatek IOMMU driver on a device where the larb devices have not yet been bound to their drivers. This can be done by triggering a probe deferral in the IOMMU driver, which will cause it to release references to the larb devices prematurely, creating a use-after-free situation.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.