In the Linux kernel, the following vulnerability has been resolved:

vcscreen: reload load of struct vcdata pointer in vcs_write() to avoid UAF

After a call to consoleunlock() in vcswrite() the vcdata struct can be freed by vcportdestruct(). Because of that, the struct vcdata pointer must be reloaded in the while loop in vcswrite() after consolelock() to avoid a UAF when vcs_size() is called.

Syzkaller reported a UAF in vcs_size().

BUG: KASAN: slab-use-after-free in vcssize (drivers/tty/vt/vcscreen.c:215) Read of size 4 at addr ffff8880beab89a8 by task reprovcssize/4119

Call Trace: <TASK> _asanreportload4noabort (mm/kasan/reportgeneric.c:380) vcssize (drivers/tty/vt/vcscreen.c:215) vcswrite (drivers/tty/vt/vcscreen.c:664) vfswrite (fs/readwrite.c:582 fs/readwrite.c:564) ... <TASK>

Allocated by task 1213: kmalloctrace (mm/slabcommon.c:1064) vcallocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) coninstall (drivers/tty/vt/vt.c:3334) ttyinitdev (drivers/tty/ttyio.c:1303 drivers/tty/ttyio.c:1415 drivers/tty/ttyio.c:1392) ttyopen (drivers/tty/ttyio.c:2082 drivers/tty/ttyio.c:2128) chrdevopen (fs/chardev.c:415) dodentryopen (fs/open.c:921) vfs_open (fs/open.c:1052) ...

Freed by task 4116: kfree (mm/slabcommon.c:1016) vcportdestruct (drivers/tty/vt/vt.c:1044) ttyportdestructor (drivers/tty/ttyport.c:296) ttyportput (drivers/tty/ttyport.c:312) vtdisallocateall (drivers/tty/vt/vtioctl.c:662 (discriminator 2)) vtioctl (drivers/tty/vt/vtioctl.c:903) ttyioctl (drivers/tty/ttyio.c:2778) ...

The buggy address belongs to the object at ffff8880beab8800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)

The buggy address belongs to the physical page: page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbeab8 head:00000000afc77580 order:3 entiremapcount:0 nrpagesmapped:0 pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) pagetype: 0xffffffff() raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Disabling lock debugging due to kernel taint