Linux Kernel CPU Rmap Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's CPU resource mapping (RMAP) implementation. This issue arises when the 'irq_set_affinity_notifier()' function is called with a NULL notification argument. This action frees the associated glue pointer in the relevant array entry but leaves the pointer intact in the array. Consequently, a later call to 'free_irq_cpu_rmap()' attempts to free this entry again, leading to a potential use-after-free scenario. Although the current code does not encounter this problem—since 'irq_set_affinity_notifier(irq, NULL)' is not called followed by 'free_irq_cpu_rmap()'—subsequent patches in this series introduce this flow, necessitating the fix.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by calling 'irq_set_affinity_notifier()' with NULL as the notify argument. This will free the glue pointer in the corresponding RMAP array entry but leave the pointer in the array. Following this, 'free_irq_cpu_rmap()' can be called, which will attempt to free the already freed entry, creating a use-after-free condition. This vulnerability has been introduced by a series of patches that exercise this flawed logic.

Remediation

The vulnerability has been addressed by modifying the 'free_irq_cpu_rmap()' function to check for non-zero values in the RMAP array entries before iteration. Additionally, the 'irq_cpu_rmap_release()' and 'irq_cpu_rmap_add()' functions have been updated to set the corresponding array entries to NULL when freeing or adding IRQs, respectively.