Linux Kernel Use-After-Free Vulnerability in MTD DOCG3 Release Function

A use-after-free vulnerability has been identified in the Linux kernel's MTD DOCG3 driver. The issue arises in the 'docg3_release' function, where a pointer to a 'docg3' structure is obtained from 'cascade->floors[0]->priv' before a loop that calls 'doc_release_device()' on each floor. The 'doc_release_device()' function frees the 'docg3' structure, leading to a dereference of a freed pointer when accessing 'docg3->cascade->bch' after the loop. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, load the MTD DOCG3 driver and trigger the 'docg3_release' function. The vulnerability will manifest as a use-after-free condition when the function attempts to access 'docg3->cascade->bch' after the 'docg3' structure has been freed.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree. Users can apply the latest updates from the Linux kernel stable repository to address this issue.