In the Linux kernel, the following vulnerability has been resolved:

vcscreen: move load of struct vcdata pointer in vcs_read() to avoid UAF

After a call to consoleunlock() in vcsread() the vcdata struct can be freed by vcdeallocate(). Because of that, the struct vcdata pointer load must be done at the top of while loop in vcsread() to avoid a UAF when vcs_size() is called.

Syzkaller reported a UAF in vcs_size().

BUG: KASAN: use-after-free in vcssize (drivers/tty/vt/vcscreen.c:215) Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537

CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1 Hardware name: Red Hat KVM, BIOS 1.15.0-2.module Call Trace: <TASK> _asanreportload4noabort (mm/kasan/reportgeneric.c:350) vcssize (drivers/tty/vt/vcscreen.c:215) vcsread (drivers/tty/vt/vcscreen.c:415) vfsread (fs/readwrite.c:468 fs/readwrite.c:450) ... </TASK>

Allocated by task 1191: ... kmalloctrace (mm/slabcommon.c:1069) vcallocate (./include/linux/slab.h:580 ./include/linux/slab.h:720 drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108) coninstall (drivers/tty/vt/vt.c:3383) ttyinitdev (drivers/tty/ttyio.c:1301 drivers/tty/ttyio.c:1413 drivers/tty/ttyio.c:1390) ttyopen (drivers/tty/ttyio.c:2080 drivers/tty/ttyio.c:2126) chrdevopen (fs/chardev.c:415) dodentryopen (fs/open.c:883) vfs_open (fs/open.c:1014) ...

Freed by task 1548: ... kfree (mm/slabcommon.c:1021) vcportdestruct (drivers/tty/vt/vt.c:1094) ttyportdestructor (drivers/tty/ttyport.c:296) ttyportput (drivers/tty/ttyport.c:312) vtdisallocateall (drivers/tty/vt/vtioctl.c:662 (discriminator 2)) vtioctl (drivers/tty/vt/vtioctl.c:903) ttyioctl (drivers/tty/ttyio.c:2776) ...

The buggy address belongs to the object at ffff888113747800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of 1024-byte region [ffff888113747800, ffff888113747c00)

The buggy address belongs to the physical page: page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113740 head:00000000b3fe6c7c order:3 compoundmapcount:0 subpagesmapcount:0 compound_pincount:0 anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Disabling lock debugging due to kernel taint