Linux Kernel Driver Core Generic Driver Override Vulnerability Allowing Use-After-Free

A use-after-free vulnerability has been addressed in the Linux kernel's driver core, specifically within the platform bus. The issue arose because the bus's match() callback was invoked without holding the device lock, allowing unsynchronized access to the driver_override field. This lack of proper locking could lead to a use-after-free condition. The vulnerability has been mitigated by utilizing the driver-core driver_override infrastructure, which manages locking appropriately. The flaw was reported by Gui-Dong Han and is linked to Bugzilla issue #220789.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary memory manipulation or execution of arbitrary code.

Reproduction

The vulnerability can be reproduced by probing a driver through the __driver_attach() function on a platform device. This process will trigger the bus's match() callback without the necessary device lock, creating a window where the driver_override field can be accessed unsafely. This improper handling can be exploited to create a use-after-free scenario.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.