Linux Kernel UFS Driver Use-After-Free Vulnerability in Crypto Profile Management

A use-after-free vulnerability has been identified in the Linux kernel's UFS (Universal Flash Storage) driver. This issue arises during the initialization error handling process, where the driver's crypto profile cleanup handler is invoked after the associated platform device has been released. The vulnerability occurs because the crypto private data is stored in a structure that is deallocated before the cleanup handler is executed, leading to a use-after-free condition. The problem is exacerbated during the error handling of the UFS platform initialization, where the host structure is released before the platform device can complete its cleanup process.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Remediation

The vulnerability can be fixed by modifying the UFS host allocation process to automatically register a cleanup action that releases resources before the associated SCSI device is deallocated. This change ensures that the crypto profile and other resources are properly managed, preventing the use-after-free condition.