Linux Kernel Libertas Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Libertas wireless driver. The issue arises in the 'lbs_free_adapter()' function, which improperly uses a non-synchronous timer deletion method. This flaw can lead to a situation where a timer callback accesses freed memory, causing potential memory corruption. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to use-after-free conditions, where freed memory is accessed, potentially causing memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering the 'lbs_free_adapter()' function while a timer callback is still executing. This can be done by manipulating the driver's timer management to create a race condition, where the callback accesses the driver's private structure after it has been freed.

Remediation

The vulnerability has been fixed by changing the timer deletion method to a synchronous one, ensuring that any running timer callbacks have completed before the associated resources are freed. Users should update to the latest version of the Linux kernel where this fix has been applied.