Linux Kernel FarSync T-Series Card Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of FarSync T-series cards. When a card is detached, its associated fst_card_info is deallocated. However, if the fst_tx_task or fst_int_task is still running or pending, this can lead to a race condition. The freed fst_card_info may be accessed by these tasks, causing a use-after-free bug. This issue was detected through static analysis and can be reproduced by simulating a FarSync T-series card in QEMU, introducing delays in the tasklet handler to trigger the race condition.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing memory corruption issues.

Reproduction

To reproduce this vulnerability, detach a FarSync T-series card while the fst_tx_task or fst_int_task is still running or pending. This can be done by simulating the card in QEMU and adding delays in the tasklet handler, which increases the chances of accessing the freed fst_card_info before the tasklet has finished processing.

Remediation

The vulnerability has been fixed by ensuring that both fst_tx_task and fst_int_task are properly canceled before the fst_card_info is released. The tasklet_kill() function was added to the fst_remove_one() function, after unregister_hdlc_device() and fst_disable_intr(), to synchronize with any pending or running tasklets.