Linux Kernel Power Supply AB8500 Use-After-Free Vulnerability in Power_Supply_Changed Function

A use-after-free vulnerability has been identified in the Linux kernel's power supply AB8500 driver. This issue arises because the 'devm_' variant for requesting interrupts is used before the 'devm_' variant for allocating or registering the 'power_supply' handle. As a result, the 'power_supply' handle is deallocated or unregistered before the interrupt handler is properly set up. This creates a race condition where an interrupt can be triggered just after the 'power_supply' handle has been freed, but before the corresponding unregistration of the interrupt handler has completed. Consequently, the interrupt handler may call 'power_supply_changed()' with a freed 'power_supply' handle, leading to a system crash or silent memory corruption. This vulnerability was introduced during a refactor by commit 1c1f13a006ed and can also occur when the driver is probed, if an interrupt fires before the 'power_supply' handle is registered.

Impact

Exploitation of this vulnerability typically crashes the system or silently corrupts memory.

Reproduction

The vulnerability can be reproduced by probing the AB8500 charger driver, which will trigger the interrupt handling process. If the 'devm_request_threaded_irq' function is called before the 'power_supply' handle is fully registered, the race condition will occur. This can be observed by monitoring the system's stability and memory integrity after loading the driver.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.