Linux Kernel USB Framebuffer Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's USB framebuffer driver (udlfb). The issue arises because the driver maps framebuffer pages to userspace without properly managing the virtual memory area (VMA) operations. This oversight prevents the kernel from tracking active memory mappings. When the framebuffer is reallocated, the old memory pages are freed while userspace still holds references, allowing continued access to the freed pages. The vulnerability has been addressed by adding VMA operation callbacks to manage the mapping references correctly.

Impact

Exploitation of this vulnerability allows processes to access and modify freed kernel memory, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by emulating a USB device with the 'dummy_hcd' and 'raw_gadget' options. This setup will trigger the use-after-free condition by disconnecting the USB device while the framebuffer is still mapped to userspace.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.