Linux Kernel CAIF Serial Use-After-Free Vulnerability in TTY Handling

A use-after-free vulnerability has been identified in the CAIF serial driver of the Linux kernel. This issue arises because the function handling packet transmission can access a TTY (teletypewriter) structure after it has been freed, leading to the potential execution of arbitrary code. The vulnerability is rooted in a race condition between closing the line discipline and transmitting packets over the network. Specifically, when the line discipline is closed, the reference to the TTY is released, but if a packet is being transmitted at the same time, the TTY may have already been freed, creating a dangling pointer. This issue affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed memory area is accessed, potentially allowing for arbitrary code execution.

Reproduction

To reproduce this vulnerability, add a delay of 500 milliseconds at the beginning of the 'ldisc_close()' function to widen the race window. Then, run a program that triggers the vulnerability by sending packets while the line discipline is being closed.

Remediation

The vulnerability has been fixed by modifying the CAIF serial driver's line discipline handling. The TTY reference release has been moved from the 'ldisc_close()' function to the 'ser_release()' function, ensuring that the reference is held as long as the network device is active. Users should update to the latest version of the Linux kernel where this fix has been applied.