Linux Kernel RapidIO Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's RapidIO device driver. This issue arises in the 'mport_cdev_open()' function, where the 'kfifo_alloc()' allocation can fail. If this happens, the function frees the 'priv' variable but does not remove it from the 'chdev->file_list'. As a result, the list traversal can lead to a use-after-free condition. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can be exploited to create a use-after-free condition, which may lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering a failure in the 'kfifo_alloc()' function within the 'mport_cdev_open()' method of the RapidIO character device driver. This can be done by manipulating the conditions under which 'kfifo_alloc()' fails, causing 'priv' to be freed without removing it from the file list, thereby creating a use-after-free scenario.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading can be found in the official Linux kernel documentation.