Linux Kernel SCSI Target iSCSI Session Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's SCSI target iSCSI implementation, specifically within the session usage count management. The issue arises in the function 'iscsit_dec_session_usage_count()', where the function calls 'complete()' while holding a lock on the session usage. This can create a race condition, as the 'complete()' call may immediately free the 'iscsit_session' structure, leading to a situation where the current thread tries to unlock a session that has already been deallocated. This flaw causes a memory corruption issue, which can be exploited to execute arbitrary code or cause a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing memory corruption that can be exploited to execute arbitrary code or create a denial-of-service situation.

Reproduction

To reproduce this vulnerability, the 'iscsit_dec_session_usage_count()' function must be called while a session is being freed. This can be done by manipulating the session usage count and the associated lock, creating a scenario where the session structure is deallocated before the usage count is properly updated.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading can be found in the official Linux kernel documentation.