Linux Kernel UBI Subsystem Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's UBI (Unsorted Block Image) subsystem, specifically within the character device ioctl operations. This vulnerability creates a use-after-free condition, which can be exploited to cause memory corruption. The issue arises from a concurrency problem between two functions that handle UBI device management: 'ctrl_cdev_ioctl', which is responsible for attaching and detaching UBI devices, and 'ubi_cdev_ioctl', which manages UBI volumes. The race condition occurs because 'ctrl_cdev_ioctl' can modify UBI device states while 'ubi_cdev_ioctl' is concurrently accessing them, leading to a double-free vulnerability when UBI volumes are removed. The problem was introduced by a previous commit that altered the timing of UBI device availability, allowing for this unsafe concurrency.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to memory corruption. Such memory corruption can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a UBI volume and then simultaneously attaching and detaching UBI devices through the character device ioctl interface. This can be done by triggering the 'ctrl_cdev_ioctl' function to attach a UBI device while 'ubi_cdev_ioctl' is in the process of removing a UBI volume, creating a race condition that the vulnerability exploits.

Remediation

Users are advised to update to the latest version of the Linux kernel where this vulnerability has been addressed.