Vulnerability Description:
In the Linux kernel, the following vulnerability has been fixed in drm/mediatek: a potential use-after-free issue in the for_each_child_of_node() helper function, which releases each node reference it acquires while traversing child nodes. The explicit call to of_node_put() is only required when exiting the loop prematurely, removing the recently introduced unnecessary reference count decrement operation in each iteration, which could lead to a use-after-free issue.
Attack Scenario:
An attacker can exploit this vulnerability with local permissions (LOCAL) by crafting malicious Device Tree Node data, triggering a reference counting management error in the for_each_child_of_node() helper function, which can lead to memory being accessed after it has been freed, allowing for local privilege escalation or denial of service. The attack requires local user permissions but can exploit this vulnerability to gain higher privileges under a low-privilege account.
Affected Products and Versions:
The affected product is the Linux Kernel.
The specific version range is: 5.0 ≤ Linux Kernel < 5.10.
This vulnerability exists in the drm/mediatek driver module, related to MediaTek GPU/display controllers.
Recommended Fix:
Users are advised to update the Linux kernel to the latest version promptly to fix this vulnerability. For specific patch information and download links, please refer to the official documentation.