Linux Kernel RDMA/rxe Double Free Vulnerability in Memory Registration

A double free vulnerability has been identified in the Linux kernel's RDMA/rxe component, specifically in the memory registration process. This issue arises when the function 'rxe_mr_cleanup()' is called to free the 'mr->map' memory mapping. If 'rxe_mr_init_user()' fails during initialization, 'rxe_mr_cleanup()' attempts to free 'mr->map' again, leading to a double free condition. The vulnerability affects Linux kernel versions through 6.1.0-rc1.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, such as a double free condition, which can be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by registering a user memory region with 'ib_uverbs_reg_mr' while the RDMA/rxe driver is active. If the registration process fails, the 'rxe_mr_cleanup()' function will be triggered, attempting to free the 'mr->map' mapping. This process can be monitored for the double free occurrence, which will be logged as a panic in the kernel.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.