Linux Kernel Cgroup Migration Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's cgroup management, specifically during task migration between csets (css_sets). The issue arises because the migration process uses the same preload node for both source and destination csets, which can lead to improper handling when multiple tasks are migrated simultaneously. This flaw can be exploited by manipulating cgroup tasks, causing a cset to be destroyed while still in use, leading to a use-after-free condition.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, create a cgroup and move a process with multiple threads into it. Then, migrate the group leader thread to a different cgroup while leaving the non-leader threads behind. This will create a situation where the cgroup management process improperly handles the migration, allowing the cset to be destroyed prematurely while still in use.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.