Linux Kernel Device-Mapper Array Double Free Vulnerability

A vulnerability in the Linux kernel's device-mapper array implementation can lead to a double free error. This issue arises when the block manager's read lock function fails, causing the kernel to release a faulty block while leaving an invalid pointer. Subsequent operations on this pointer can result in undefined behavior. The problem is exacerbated in the dm_array_cursor, which incorrectly caches the invalid pointer, leading to a double release when the cursor's end function is called. This vulnerability has been addressed by modifying the error handling to reset the cached pointer to null, preventing the invalid pointer from being reused.

Impact

Exploitation of this vulnerability causes a double free error, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a cache device with the device-mapper. After initializing the cache device, the second array block can be wiped offline. Once the faulty block is offlined, the cache device can be reopened, which triggers the vulnerability by causing the dm_array_cursor to read the invalid block pointer, leading to the double free error.