Linux Kernel dm Thin Pool Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's device mapper (dm) thin provisioning feature. This vulnerability occurs in versions of the kernel prior to 5.19.0. The issue arises when a metadata commit fails, leading to a transaction abort and the destruction of metadata space maps. If a DM table reload occurs after this failure, a use-after-free condition is created, causing a crash. The vulnerability can be reproduced by manipulating the state of a thin pool and then reloading the DM table.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a crash due to a memory access violation.

Reproduction

The vulnerability can be reproduced by first taking the block device offline, then writing zeros to the mapped thin pool. After loading the pool with a specific table configuration, the DM table can be reloaded, triggering the use-after-free condition in the process.

Remediation

Users can avoid this vulnerability by ensuring that thin pools are not in a failed state before reloading DM tables.