Linux Kernel PCI MACB Driver Clock Handling Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's PCI MACB glue driver. This issue arises when the platform device is unregistered, but the runtime resume callback still attempts to use the associated clock variables. The vulnerability was introduced in versions of the Linux kernel prior to 6.1.164 and can be exploited by manipulating the PCI device removal process, causing a read of freed memory that could lead to undefined behavior or memory corruption.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a clock pointer is accessed after it has been freed, leading to potential memory corruption.

Reproduction

To reproduce this vulnerability, load a module that registers a PCI device using the MACB driver. Once the device is registered, remove the module, which will trigger the platform_device_unregister() function. This function will remove the device but not before the runtime resume callback attempts to access the clock variables, which have already been freed. This sequence of actions will cause the clock preparation function to read from a memory address that has been deallocated, creating a use-after-free condition.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree. Users can upgrade to the latest version of the kernel to address this issue.