Linux Kernel SPI Controller Teardown Order Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's SPI controller driver for the Freescale Low Power Serial Peripheral Interface (SPI-FSL-LPSPI). This issue arises from an improper teardown order when the SPI controller is unregistered. The controller is registered with a function that delays unregistration until after the removal function has completed. Consequently, when the removal function synchronously deactivates the DMA channels, any ongoing SPI transfer can cause a NULL pointer dereference, leading to a kernel crash. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, resulting in a system crash.

Reproduction

The vulnerability can be reproduced by initiating an SPI transfer over a Freescale Low Power SPI controller while the system is in the process of unregistering the controller. This can be done by sending data through the SPI interface via a device file, such as /dev/spidevX.Y, where X and Y correspond to the bus and device numbers. The transfer should be active when the controller is being removed, which can be timed by manually triggering the removal process or by unloading the associated kernel module.

Remediation

The vulnerability has been addressed by changing the SPI controller registration to a non-managed version, allowing for proper unregistration before the removal process tears down the DMA channels. Users should update to the latest version of the Linux kernel where this fix has been applied.