Linux Kernel vc_screen Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's vc_screen component, specifically within the vcs_write function. This issue arises after a call to console_unlock, which can lead to the vc_data structure being freed by vc_port_destruct. Consequently, the vc_data pointer needs to be reloaded in the vcs_write loop, following console_lock, to prevent a use-after-free scenario when vcs_size is called. The vulnerability was reported by Syzkaller, which detected the use-after-free issue in vcs_size.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a pointer is accessed after the memory it points to has been freed. This can cause memory corruption, potentially allowing for arbitrary code execution or other malicious actions.

Reproduction

The vulnerability can be reproduced by opening a virtual terminal device and writing data to it. The vcs_write function will be called, during which the console_unlock function is invoked. This sequence can be automated with a script that simulates the writing process while managing the timing to create the use-after-free condition. The Syzkaller fuzzer, which is known for discovering such vulnerabilities, reported this issue.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux Kernel Git Repository. Instructions for downloading the latest stable version can be found on the Linux Kernel website.