Linux Kernel Use-After-Free Vulnerability in PMDomain Mediatek Bus Protection Legacy Function

A use-after-free vulnerability has been identified in the Linux kernel's PMDomain Mediatek driver, specifically within the 'scpsys_get_bus_protection_legacy()' function. The issue arises because the function improperly manages the reference count of a device node. It calls 'of_node_put()' to decrement the reference count before verifying if 'syscon_regmap_lookup_by_phandle()' encounters an error. If an error does occur, 'dev_err_probe()' attempts to access the node to provide error details, but the node may have already been freed, leading to a use-after-free condition. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly result in memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, the 'scpsys_get_bus_protection_legacy()' function must be called in a context where 'of_find_node_with_property()' returns a valid device node. The function will then incorrectly release the node before checking for errors in the subsequent 'syscon_regmap_lookup_by_phandle()' call. If an error is returned, the node pointer will be dereferenced after it has already been freed, creating a use-after-free vulnerability.

Remediation

The vulnerability has been fixed by adjusting the order of operations in the 'scpsys_get_bus_protection_legacy()' function. The 'of_node_put()' call has been moved to after the error check, ensuring that the node remains valid when accessed for error reporting. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.