Linux Kernel EROFS Uninitialized Data Use Vulnerability in Device Handling

A use-after-free vulnerability has been identified in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. This issue arises when multiple devices of different types are used simultaneously. The function 'erofs_init_device' ensures that if the primary device is file-backed, extra devices must also be regular files. However, a problem occurs when the primary device is a block device and the extra one is file-backed. In this scenario, 'erofs_init_device' returns an ENOTBLK error, which is not properly handled in 'erofs_fc_get_tree'. This oversight leads to a use-after-free condition, as the superblock information is not correctly initialized before the primary device is deactivated and freed.

Impact

Exploitation of this vulnerability creates a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, use the EROFS file system in the Linux kernel with a primary block device and an extra file-backed device. The 'erofs_init_device' function will return an ENOTBLK error, which is not treated as a critical error in 'erofs_fc_get_tree'. This oversight allows the file system to be deactivated while the superblock is still referencing freed memory, creating a use-after-free vulnerability.