Linux Kernel IOMMUFD Refcount Race Vulnerability in IOMMUFD_DESTROY

A race condition vulnerability has been identified in the Linux kernel's IOMMUFD (Input/Output Memory Management Unit File Descriptor) handling. Specifically, the IOMMUFD_DESTROY operation incorrectly increments the reference count of an object without proper synchronization, leading to potential spurious failures. This issue arises because the reference count elevation is not protected by the necessary write semaphore, allowing IOMMUFD_DESTROY to be raced with other operations that could disrupt the expected behavior. The vulnerability affects the Linux kernel stable tree, particularly in version 6.3.0-rc1-syzkaller, as reported by the syzbot fuzzing tool.

Impact

Exploitation of this vulnerability can cause a race condition that leads to incorrect reference counting, potentially allowing for use-after-free scenarios or other memory management errors.

Reproduction

The vulnerability can be reproduced by invoking the IOMMUFD_DESTROY operation, which will unintentionally increase the reference count of the associated object. This can be done through the IOMMUFD file operations interface, specifically by issuing an ioctl command that triggers the destruction of an IOMMUFD object. The race condition can be observed when this operation is executed concurrently with other IOMMUFD operations that interact with the same object, such as creating or accessing IOMMUFD resources.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.