A use-after-free flaw was found in the Linux kernels implementation of blktrace in the __blk_add_trace function. A local attacker with permissions to run block trace instructions against a device can create a situation where the core block_trace object is used after it is freed. The attacker can pre-groom memory to race this use-after-free to create a condition where memory is corrupted and also likely to be privilege escalation.
A patch may be attached to the bugzilla.kernel.org but no patch exists at this time.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1786166]
While this flaw is rated as important, it was a difficult decision to make. Users who are granted permissions on system block devices can likely find other ways of doing this, such as modifying the setuid bits on mounted filesystems, or perverting the contents of setuid files, or just the password file itself if they can access it on that block device.