Linux Kernel UBI Subsystem Use-After-Free Vulnerability in Volume Resizing

A use-after-free vulnerability has been identified in the Linux kernel's Unsorted Block Images (UBI) subsystem, specifically within the volume management code. This issue arises when the 'ubi_change_vtbl_record()' function returns an error during volume resizing. The 'new_eba_tbl' variable, which holds a reference to the volume's erase block allocation table, is freed as part of the error handling process. However, this table is still referenced by 'vol->eba_tbl' in the 'ubi_eba_replace_table()' function. As a result, the lifecycles of 'vol->eba_tbl' and the volume itself become mismatched. When the volume is resized again, it leads to a use-after-free condition, where the freed memory is accessed, potentially causing memory corruption or other unintended behavior.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, allowing for potential arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by triggering a volume resize operation in the UBI subsystem that results in an error. This can be done by using a UBI volume management tool to resize a volume, while monitoring for error conditions that may arise during the process. The kernel's AddressSanitizer (KASAN) can be used to detect the use-after-free condition, which will be reported as a bug.

Remediation

Users can upgrade to the patched version of the Linux kernel, which is available in the official Linux kernel repositories. Instructions for downloading the latest stable kernel can be found on the official Linux kernel website.