Linux Kernel JFFS2 Filesystem Use-After-Free Vulnerability in Xattr Handling

A use-after-free vulnerability has been identified in the JFFS2 filesystem implementation of the Linux kernel. This issue arises when the filesystem is mounted and an error occurs while scanning the erase blocks. The error handling process improperly manages memory related to extended attributes, leading to a use-after-free condition. This vulnerability can be exploited to read freed memory, potentially causing undefined behavior or allowing for further exploitation.

Impact

Exploitation of this vulnerability can lead to memory corruption by allowing access to freed memory regions, which could be manipulated to execute arbitrary code or cause a system crash.

Reproduction

To reproduce this vulnerability, mount a JFFS2 image that contains at least one inode related to extended attributes. Ensure that the image also includes an abnormal block that will trigger an error during the scanning process. This error will cause the JFFS2 filesystem to attempt to clear the extended attribute subsystem, but due to the error handling logic, it will improperly manage the memory, creating a use-after-free condition.