Linux Kernel padata Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's padata subsystem. This issue arises in version 6.6.0 and can be reproduced using the LTP test 'pcrypt_aead01'. The vulnerability occurs when the padata_reorder function processes a parallel decryption task. If the associated cryptographic algorithm is deleted, the reference count of the padata descriptor can drop to zero, leading to a use-after-free condition when the function attempts to access the descriptor again.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by adding a delay before calling the 'padata_find_next' function within the 'padata_reorder' function. This can be done while running the LTP test 'pcrypt_aead01', which triggers the vulnerability by causing the padata descriptor to be freed while still in use, creating a use-after-free condition.