Linux Kernel BFQ Scheduler Use-After-Free Vulnerability in Block I/O Management

A use-after-free vulnerability has been identified in the Linux kernel's Block I/O (BFQ) scheduler, specifically in versions through 5.10. This vulnerability arises when a process is moved between control groups, leading to a situation where two different BFQ queue references can point to the same Block I/O control structure. This can cause a previously allocated BFQ queue to be freed while it is still in use, creating a risk of memory corruption or exploitation.

Impact

Exploitation of this vulnerability can lead to memory corruption, allowing for potential arbitrary code execution or causing a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by moving a process between control groups while it is performing I/O operations. This can be done using a workload that generates I/O, such as file stress testing tools, and then changing the control group of the process before the I/O operation is completed. The BFQ scheduler will allocate a new queue for the process in the new control group, but the old queue may still be referenced, leading to a use-after-free condition when the old queue is freed while the new one is still in use.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.