Linux Kernel Kernfs Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's kernfs implementation. This issue arises when concurrent calls to 'kernfs_remove_by_name_ns()' are made for the same file, leading to a race condition. The vulnerability was detected by Syzkaller, which triggered the issue by mounting a 9P file system and removing a file concurrently. The problem occurs when the root node is freed during the 'kernfs_drain()' process, allowing for a use-after-free scenario that could be exploited.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly result in memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using Syzkaller to mount an ext4 file system image and then concurrently remove a file while the file system is being accessed. This can be done by creating a 9P file system client that interacts with the mounted file system, triggering the race condition that causes the use-after-free vulnerability.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.