Linux Kernel Soft Lockup Vulnerability in Audit Subsystem

A vulnerability in the Linux kernel's audit subsystem can lead to a soft lockup, where the system becomes unresponsive for a period of time. This issue occurs in the audit_inode_child() function, which can be overwhelmed by a large number of PATH records generated through tracefs or debugfs. The vulnerability is present in the Linux kernel stable tree, specifically in versions prior to the latest commit that addresses this issue.

Impact

Exploitation of this vulnerability can cause a soft lockup, where a CPU becomes unresponsive for an extended period, potentially leading to a kernel panic.

Reproduction

The vulnerability can be reproduced by setting up a Linux kernel with CONFIG_KASAN enabled and CONFIG_PREEMPTION disabled. After configuring the kernel, use the auditctl command to monitor file open events, and then create a directory in the tracefs debug filesystem. This sequence of actions can trigger the soft lockup by flooding the audit system with PATH records, causing the CPU to become unresponsive.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.