Linux Kernel Use-After-Free Vulnerability in Virtual Console Driver

A use-after-free vulnerability has been identified in the Linux kernel's virtual console (VC) driver, specifically within the 'vcs_read' function of the 'vc_screen' component. This vulnerability arises because the 'vc_data' structure can be freed by the 'vc_deallocate' function after 'console_unlock' is called, leading to a use-after-free condition when 'vcs_size' is subsequently invoked. The issue was reported by Syzkaller and is associated with a memory access error detected by the Kernel Address Sanitizer (KASAN).

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for potential arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by opening a virtual console and performing a read operation. After the 'console_unlock' function is called, the 'vc_data' structure is freed, creating a use-after-free condition. This can be observed by calling the 'vcs_size' function, which attempts to access the freed 'vc_data' structure, resulting in a memory access error.