Linux Kernel Ring Buffer Synchronization Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's ring buffer implementation. This issue arises because the synchronization of interrupt request (IRQ) work occurs before the buffer is destroyed. In certain scenarios, such as when using the 'ARCH=um' configuration with time-travel, it's possible to delete the ring buffer before the IRQ work has been processed. This flaw can trigger a kernel address sanitizer (KASAN) report or cause a crash in the absence of KASAN. The vulnerability affects Linux kernel versions 6.3.0-rc1 and prior.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption. In this case, it allows the IRQ work to access freed memory, potentially causing a crash or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by writing data to a ring buffer just before it is destroyed, then synchronizing the IRQ work. This can be done in a user-mode Linux (UML) environment with time-travel enabled, which allows for manipulation of the execution timeline.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.