Linux Kernel Swap Information Structure Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's handling of swap information, specifically in versions after 5.10.y. The issue arises in the 'swapoff' operation, where the lock for the swap information structure must be held when removing it from the available list. If not, another thread can prematurely re-add it, potentially leading to memory corruption. This vulnerability can be triggered by concurrent 'madvise' operations on memory, combined with intensive 'swapon' and 'swapoff' activities, such as those simulated by the 'stress-ng' tool. The race condition can cause warning messages to flood the system, and in severe cases, it may lead to a system panic.

Impact

Exploitation of this vulnerability can cause memory corruption, which may not be immediately apparent but can lead to serious system instability, including a kernel panic.

Reproduction

To reproduce this vulnerability, perform the following steps: 1. Run a workload that heavily uses the swap system, such as with the 'stress-ng' tool, while simultaneously calling 'madvise' with the 'MADV_PAGEOUT' flag on active memory. 2. During this process, execute 'swapoff' operations to trigger the race condition. 3. Monitor for warning messages related to the swap system, which indicate that the vulnerability has been successfully reproduced.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.