Linux Kernel Trace Subsystem Use-After-Free Vulnerability in Copy-Trace-Marker Feature

A use-after-free vulnerability has been identified in the Linux kernel's tracing subsystem, specifically related to the 'copy_trace_marker' feature. When this option is enabled for a tracing instance, data written to '/sys/kernel/tracing/trace_marker' is copied to that instance's buffer. The instance's trace_array descriptor is then added to a list of marker copies, which is protected by Read-Copy Update (RCU) mechanisms. However, when the instance is deleted, the 'copy_trace_marker' flag is cleared, and the trace_array descriptor is removed from the list. The vulnerability arises because the flag is cleared before a direct call to 'update_marker_trace()' is made, which is supposed to synchronize the removal from the list. This oversight leaves a potential use-after-free condition, as the necessary synchronization is not performed, allowing for possible exploitation.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for memory corruption or arbitrary code execution.

Reproduction

To reproduce this vulnerability, enable the 'copy_trace_marker' option for a tracing instance. Write data into the '/sys/kernel/tracing/trace_marker' file, which will be copied to the instance's buffer. Then, delete the tracing instance. The 'copy_trace_marker' flag will be cleared, but the corresponding trace_array descriptor will not be properly removed from the marker_copies list due to the order of operations, creating a use-after-free condition.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.