Linux Kernel Coresight Use-After-Free Vulnerability via Active Configuration Management

A use-after-free vulnerability has been identified in the Linux kernel's Coresight component, specifically in how active configurations are managed. The issue arises when an active configuration is enabled through the 'cscfg_csdev_enable_active_config()' function. While this function activates the configuration, it also allows for the configuration to be deactivated via the ConfigFS's sysfs interface. This creates a scenario where the configuration can be unloaded while it is still in use, leading to a use-after-free condition. The vulnerability is related to the management of configuration references and active counts, which can be manipulated to access freed memory.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading a module that activates a configuration via the Coresight management functions. Once the configuration is active, it can be deactivated through the sysfs interface, reducing the active count to zero. This deactivation can be done while the module is still loaded, creating a race condition that allows the unloaded configuration to be accessed after it has been freed.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the configuration management to use a reference count mechanism. This ensures that configurations are not unloaded while still in use, preventing the use-after-free condition.