Linux Kernel VMCI Host Race Condition Vulnerability in Polling Function Causes General Protection Fault

A race condition vulnerability has been identified in the Linux kernel's VMCI host polling function, vmci_host_poll(). This vulnerability leads to a general protection fault, likely caused by a non-canonical address, during fuzzing. The issue arises because vmci_host_poll() reads an uninitialized context before it has been properly set up, creating a null pointer dereference. The problem occurs in the VMCI host side driver implementation, specifically in versions of the Linux kernel prior to the latest patch.

Impact

Exploitation of this vulnerability causes a general protection fault, disrupting normal kernel operations. The fault is associated with a null pointer dereference, which can lead to undefined behavior or system crashes.

Reproduction

The vulnerability can be reproduced by initiating a poll operation on a VMCI host device context that has not been fully initialized. This can be done by triggering the vmci_host_poll() function while the corresponding VMCI context is still being set up, creating a race condition that results in a general protection fault.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the patched version are available on the official Linux kernel website.