Linux Kernel Power Supply RT9455 Use-After-Free Vulnerability in Power Supply Changed Function

A use-after-free vulnerability has been identified in the Linux kernel's handling of the Richtek RT9455 battery charger within the power supply subsystem. This issue arises because the 'devm_' variant for requesting interrupts is used before the 'devm_' variant for registering the power supply handle. As a result, the power supply handle is deallocated before the interrupt handler is unregistered, creating a race condition. During this window, an interrupt can be triggered that calls 'power_supply_changed()' with a freed handle, leading to system crashes or memory corruption. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability typically results in a system crash or silent memory corruption.

Reproduction

The vulnerability can be reproduced by loading the RT9455 charger driver in a Linux kernel version that is vulnerable. Once the driver is loaded, an interrupt can be triggered that invokes the 'power_supply_changed()' function before the power supply handle is properly registered, causing a use-after-free condition. This can be done by simulating an interrupt just after the power supply handle is freed but before the IRQ handler is unregistered.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.