Linux Kernel ASoC Component Use-After-Free Vulnerability in soc-core

A use-after-free vulnerability has been identified in the Linux kernel's ASoC (ALSA System on Chip) component, specifically within the soc-core file. This issue arises when a sound card is unbound while a PCM (Pulse Code Modulation) stream is active. The problem occurs in the 'snd_soc_dapm_stream_event()' function, which is called by the 'close_delayed_work' workqueue handler. During the unbinding process, the 'snd_soc_unbind_card()' function flushes delayed work and subsequently calls 'soc_cleanup_card_resources()'. This cleanup process releases all PCM file descriptors, which can trigger the 'snd_soc_dapm_stream_stop()' function, scheduling new delayed work that is not processed before the DAPM widgets are freed, leading to a use-after-free condition.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, unbind a sound card while a PCM stream is open. The 'snd_soc_unbind_card()' function will flush delayed work and then call 'soc_cleanup_card_resources()', which releases all PCM file descriptors. This process can trigger the 'snd_soc_dapm_stream_stop()' function, scheduling new delayed work that is not processed before the DAPM widgets are freed, creating a use-after-free condition.

Remediation

The vulnerability has been addressed by adding a flush in the 'soc_cleanup_card_resources()' function after disconnecting the PCM files, and before removing the DAI (Digital Audio Interface) components and DAPM widgets. Users should update to the latest version of the Linux kernel where this fix has been applied.