Linux Kernel Posix Timers Timer ID Search Loop Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's POSIX timer handling. The issue arises in the 'posix_timer_add()' function, which allocates a timer ID by starting from a cached ID. This process involves a loop that searches for a free slot in the ID space. However, the loop's termination condition can be compromised by a concurrent, lockless read of the starting ID, allowing one CPU to see a negative value and preventing the loop from exiting as intended. Although this is unlikely to cause an endless loop, the racy read was flagged by the Kernel Concurrency Sanitizer (KCSAN) and requires correction by ensuring all ID operations are conducted under a lock.

Impact

The vulnerability could lead to a race condition where the timer ID allocation process is disrupted, potentially causing incorrect behavior in timer management.

Reproduction

The vulnerability can be reproduced by invoking the 'posix_timer_add()' function from two different CPU contexts simultaneously. One CPU should initiate the function and acquire the hash lock, while the second CPU can manipulate the timer ID value, creating a race condition that the first CPU does not anticipate.

Remediation

The vulnerability has been addressed in the official Linux Git repository. Users should upgrade to the latest version.