Linux Kernel Buffer Subsystem Use-After-Free Vulnerability Leading to Stack-Based Buffer Overflow

A use-after-free vulnerability has been identified in the Linux kernel's buffer subsystem, specifically within the 'end_buffer_read_sync' function. This issue arises when the 'bh_read' helper is called, leading to a stack-out-of-bounds condition. The vulnerability was discovered while mounting the NTFS3 filesystem, where a stack variable was improperly managed, allowing for a buffer overflow. The problem has been observed in Linux kernel version 6.16.0-862.14.0.6.x86_64.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or other undefined behavior.

Reproduction

To reproduce this vulnerability, mount a partition with the NTFS3 filesystem on a Linux kernel version that is vulnerable. During the mounting process, the 'bh_read' helper is called, which triggers the use-after-free condition. This can be verified by checking for KASAN (Kernel Address Sanitizer) reports of stack-out-of-bounds accesses.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.