Linux Kernel Cpufreq Governor Double Free Vulnerability

A double free vulnerability has been identified in the Linux kernel's cpufreq governor, specifically within the cpufreq_dbs_governor_init() function. This issue arises when the kobject_init_and_add() function fails, leading to a premature release of a kobject. The release callback inadvertently calls the governor's exit function and frees the associated data structure, only for the error path to repeat this process, causing a double free condition. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a double free condition, which can potentially be exploited to execute arbitrary code or cause a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, initiate the cpufreq_dbs_governor_init() function and simulate a failure in the kobject_init_and_add() call. This will trigger the error handling path that causes the double free by releasing the dbs_data object twice, once manually and once through the kobject release callback.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.