Linux Kernel BFQ Scheduler Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Block I/O Completely Fair Queuing (BFQ) scheduler). This issue arises because the function 'bfq_exit_icq_bfqq()' can free a queue structure ('bfqq') before it is accessed by 'bic_set_bfqq()', leading to a use-after-free condition. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to memory corruption, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by manipulating the BFQ scheduler's queue management functions. Specifically, 'bfq_exit_icq_bfqq()' should be called in a way that it frees 'bfqq' before 'bic_set_bfqq()' accesses it. This can be achieved by creating a scenario where 'bfq_exit_icq_bfqq()' is triggered first, followed by 'bic_set_bfqq()', while ensuring that the same 'bfqq' instance is used in both calls.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux kernel stable tree.