Linux Kernel Lkkbd Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's lkkbd driver. The issue arises because the lkkbd_disconnect() function and error paths in lkkbd_connect() free the lkkbd structure without first disabling pending work that could reference the freed structure. This allows the work handler, lkkbd_reinit(), to access the lkkbd structure after it has been freed, potentially leading to memory corruption or arbitrary code execution. The vulnerability affects the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by connecting a lkkbd device, which triggers the lkkbd_interrupt() function to schedule a work item that references the lkkbd structure. If the device is then disconnected or an error occurs during the connection process, the lkkbd structure is freed without disabling the queued work item. Once the work item is executed, it will attempt to access the freed structure, creating a use-after-free condition.

Remediation

The vulnerability has been addressed by modifying the lkkbd driver to use disable_work_sync() instead of cancel_work_sync() before freeing the lkkbd structure. This change prevents the reinit work from being queued after the structure has been freed. Users should apply the latest patches available in the Linux kernel stable tree to address this vulnerability.