Linux Kernel Blk-MQ Crypto Keyslot Release Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's block layer, specifically within the block-mq I/O scheduler. This issue arises because the block layer does not release the keyslot associated with a crypto key until the I/O request is being freed. Consequently, upper layers are notified that the I/O has completed before the keyslot is released, leading to a situation where the key eviction function can incorrectly perceive that a keyslot is still in use. This mismanagement causes a use-after-free error, particularly when per-file encryption keys are used with the fscrypt feature. The vulnerability has been addressed by modifying the block layer to release the keyslot before signaling the completion of the I/O request.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a memory management error where freed memory is accessed again, potentially leading to arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, enable inline encryption support in the block layer and use per-file encryption keys with the fscrypt feature. Then, perform I/O operations that involve blk_crypto_keys. After the I/O completes, the race condition can be triggered by evicting the crypto key, which will result in the vulnerability manifesting as a use-after-free error.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the latest stable kernel can be found on the official Linux kernel website.