Linux Kernel UBIFS Double Free Vulnerability in Rename Whiteout Operation

A double free vulnerability has been identified in the Linux kernel's UBIFS (Unsorted Block Image File System) component. This issue arises during the rename whiteout operation, where the 'whiteout_ui->data' is allocated memory that gets freed twice. The vulnerability occurs if the space budget fails for the rename whiteout operation, leading to a double free condition. The first free happens manually, but the second free occurs automatically when the inode is being processed, causing memory corruption.

Impact

Exploitation of this vulnerability leads to a double free condition, which can cause memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by performing a rename operation that exceeds the space budget on a whiteout inode in UBIFS. This process involves allocating memory for the whiteout UI data, freeing it once, and then inadvertently freeing it again when the inode is processed, creating a double free scenario.