Linux Kernel nilfs2 Filesystem Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the nilfs2 filesystem of the Linux kernel. This issue arises when a nilfs2 filesystem, downgraded to read-only due to metadata corruption, is remounted as read/write. During this process, detaching a log writer and synchronizing the filesystem can occur simultaneously, leading to the use-after-free condition. Specifically, while one task is processing a segment, another task can free the log writer, causing the first task to access a already freed resource, which can lead to undefined behavior.

Impact

Exploitation of this vulnerability can lead to memory corruption, where a freed resource is accessed, potentially causing arbitrary code execution or system instability.

Reproduction

To reproduce this vulnerability, first, create a nilfs2 filesystem and introduce metadata corruption to force it into a read-only state. Then, remount the filesystem as read/write. While the filesystem is being remounted, detach the log writer and synchronize the filesystem. This simultaneous operation will trigger the use-after-free condition, as the log writer is freed while still being accessed by a task.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the remount process to avoid detaching the log writer, thus preventing the use-after-free race condition.