Linux Kernel Use-After-Free Vulnerability in TTY N_GSM Cleanup Function

A use-after-free vulnerability has been identified in the Linux kernel's TTY N_GSM (Network GSM) handling. The issue arises in the 'gsm_cleanup_mux()' function, where the 'gsm->dlci' pointer is not properly cleared after the 'gsm_dlci_release()' call. This oversight leaves a dangling pointer, leading to a scenario where freed memory is accessed again, specifically 'gsm->dlci[0]'. The vulnerability can be triggered through the TTY ioctl interface, as part of the GSM multiplexing management.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, where freed memory is accessed, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by activating a GSM multiplexing session over a TTY interface, and then issuing commands that trigger the cleanup process without properly releasing the associated resources. This can be done by manipulating the GSM command handling via the TTY ioctl interface, particularly focusing on the cleanup and release functions that manage the DLCI (Data Link Connection Identifier) pointers.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.