Linux Kernel AT91 SAMA5D2 ADC Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the AT91 SAMA5D2 ADC driver of the Linux kernel. This issue arises when the ADC interrupt handler schedules a work function that uses the driver’s internal state. If the ADC module is removed before this work is completed, the internal state can be freed and later accessed, leading to a use-after-free condition. The vulnerability is present in the Linux kernel's stable releases.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, load the AT91 SAMA5D2 ADC driver and ensure that the ADC interrupt handler is called, which will schedule a work function using the driver's internal state. While this work is pending, remove the ADC module. The removal process will free the internal state, but the scheduled work will still attempt to access it, creating a use-after-free condition.

Remediation

The vulnerability has been addressed by modifying the driver to cancel the scheduled work before unregistering the device, ensuring that the internal state is not accessed after it has been freed.