Linux Kernel Virtio-MMIO VM Device Lifecycle Management Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's virtio-mmio implementation. This issue arises because the vm_dev structure, which includes a 'struct device', has a distinct lifecycle. When vm_dev is allocated using devres, it disrupts this lifecycle by freeing the memory when the associated platform_device is removed, rather than waiting for the vm_dev release callback. Consequently, the release callback attempts to access already-freed memory, leading to a use-after-free condition. This vulnerability can be observed by compiling the kernel with CONFIG_DEBUG_KOBJECT_RELEASE and unbinding the device via sysfs.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where memory is accessed after it has been freed, potentially leading to arbitrary code execution or other undefined behavior.

Reproduction

To reproduce this vulnerability, compile the Linux kernel with the CONFIG_DEBUG_KOBJECT_RELEASE option enabled. After booting the kernel, unbind a virtio-mmio device using sysfs. The combination of the debug option and the unbinding action will trigger the use-after-free condition, allowing for observation of the vulnerability in action.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the virtio-mmio driver to avoid using the devres memory management functions. Users can upgrade to the latest stable version of the Linux kernel to apply this fix.