Linux Kernel blk-Crypto Key Management Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's block crypto key management can cause a use-after-free error. This issue arises in the blk_crypto_evict_key() function, which is responsible for evicting encryption keys from hardware. If the function detects that a key is still in use or fails to evict it from a keyslot, it currently returns without unlinking the key from the management structures. This behavior creates a mismatch, as the function is called in contexts where failure is not acceptable, leading to potential memory management errors.

Impact

The vulnerability can be exploited to create a use-after-free condition, which may lead to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the blk_crypto_evict_key() function in a context where a key is still in use or where the keyslot eviction fails. This can be done by simulating a bug that causes a key to be incorrectly reported as in use, or by disrupting the keyslot eviction process, such as by introducing a hardware or driver issue that prevents the eviction from completing successfully.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.