Linux Kernel NFC SHDLC Timer and Work Context Management Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's NFC SHDLC implementation. The issue arises in the 'llc_shdlc_deinit' function, which purges SHDLC socket buffers and frees the SHDLC structure. This process can interfere with active timers and the state machine, potentially leading to a use-after-free condition and other shutdown-related races. The vulnerability was discovered by the Linux Verification Center using the SVACE analysis tool.

Impact

The vulnerability can be exploited to create a use-after-free condition, which may lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initiating the SHDLC LLC module and then triggering the 'llc_shdlc_deinit' function while there are active timers and queued work items. This can be done by scheduling a work item that accesses the SHDLC state or socket buffers, and then calling the deinitialization function before the work item has completed.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.