Linux Kernel ACPI EC Probe Failure Handling Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's ACPI EC (Embedded Controller) handling. This issue arises when the function 'ec_install_handlers()' returns a probe defer error on platforms with reduced hardware. In such cases, the EC is activated, and a handler is installed using a pointer that later becomes invalid. The error propagation in 'acpi_ec_setup()' lacks proper cleanup, causing the handler to reference a freed pointer during subsequent ACPI evaluations. This flaw triggers a slab-use-after-free error, as unprivileged sysfs reads can inadvertently access the dangling pointer through the EC OpRegion, particularly in fields related to battery, thermal, or backlight data.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to a memory corruption error where a freed pointer is accessed, potentially allowing for arbitrary code execution or other forms of memory exploitation.

Reproduction

The vulnerability can be reproduced on Linux systems with reduced-hardware EC platforms, where the GPIO IRQ provider defers probing. After the 'ec_install_handlers()' function is called, the 'acpi_ec_setup()' function propagates a probe defer error without cleaning up, leaving a dangling pointer. This stale handler can then be accessed through unprivileged sysfs reads that touch the EC OpRegion, exercising the use-after-free vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.