Linux Kernel Double Free Vulnerability in Tracing Component

A double free vulnerability has been identified in the Linux kernel's tracing component. The issue arises in the 'create_var_ref()' function, where 'init_var_ref()' is called to initialize fields of 'ref_field', which is allocated in a prior call to 'create_hist_field()'. When 'init_var_ref()' encounters an error, it frees the allocated fields, including 'ref_field->system'. However, the caller later invokes 'destroy_hist_field()' for error handling, which attempts to free the fields and the variable itself, leading to a double free condition. The vulnerability has been addressed by modifying 'init_var_ref()' to set the corresponding fields to NULL before freeing them, preventing the double free scenario.

Impact

Exploitation of this vulnerability could lead to memory corruption issues, allowing for potential arbitrary code execution or causing a denial-of-service condition by crashing the system.