Linux Kernel Use-After-Free Vulnerability in Tracer Switching

A use-after-free vulnerability has been identified in the Linux kernel's tracing functionality, specifically within the 'print_graph_function_flags' during tracer switching. This issue arises because the 'function_graph' tracer's print line function is not properly updated when switching to the 'timerlat' tracer, leading to the use of an invalid pointer. The vulnerability can be reproduced by introducing a delay after unlocking a mutex, switching tracers, and allowing a 'cat' command to reach the delayed point before switching again.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by adding a delay after unlocking the trace types lock, then switching to the 'function_graph' tracer and concurrently reading the trace. After a short delay, the 'timerlat' tracer can be activated, which will trigger the use-after-free condition by accessing an invalid pointer that was not properly cleared during the tracer switch.

Remediation

The vulnerability has been fixed in the Linux kernel by ensuring that the private iterator is set to NULL after being freed, preventing the use of an invalid pointer in tracer functions.