Linux Kernel Slab-Use-After-Free Vulnerability in CAIF Serial TTY Link Reference Handling

A use-after-free vulnerability has been identified in the Linux kernel's handling of TTY link references within the CAIF serial line discipline. This issue leads to a slab-use-after-free condition, which can be triggered by a specific reproducer. The vulnerability arises when the CAIF serial transmission path interacts with the TTY writing room, causing a faulting access on the TTY link port. The root cause is the improper management of reference counts for TTY link objects, which are crucial for maintaining the integrity of the TTY subsystem.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by activating the CAIF serial line discipline, which involves opening a TTY link. Once the TTY link is established, the CAIF serial transmission path will call the TTY writing room function. This sequence of actions triggers the use-after-free vulnerability by accessing a freed TTY link object, specifically the link's port, which can be exploited to cause memory corruption.

Remediation

The vulnerability has been addressed by modifying the CAIF serial line discipline to properly manage TTY link references. The fix involves holding an additional reference on the TTY link for the duration of the CAIF serial line discipline's operation. This change ensures that the TTY link object remains valid while in use, preventing the use-after-free condition. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this vulnerability.