Linux Kernel Binder Subsystem Use-After-Free Vulnerability in BinderFS

A use-after-free vulnerability has been identified in the Linux kernel's binder subsystem, specifically within the binderfs file system. This vulnerability arises in the 'binderfs_evict_inode' function, where improper memory management can lead to a slab-use-after-free condition. The issue was observed while running a 'stress-ng' workload that targeted binderfs, under a kernel version that had KASAN (Kernel Address Sanitizer) enabled. The workload caused concurrent deletions from 'binder_devices', highlighting the need for proper synchronization to prevent memory corruption.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, allowing for potential arbitrary code execution or causing the system to become unresponsive.

Reproduction

The vulnerability can be reproduced by running the 'stress-ng' tool with the '--binderfs' option, targeting version 16, and a timeout of 300 seconds. This should be done under a KASAN-enabled kernel, which will help expose the use-after-free condition in the binderfs file system.