Linux Kernel Use-After-Free Vulnerability in i915 Performance Configuration Handling

A use-after-free vulnerability has been identified in the Linux kernel's i915 graphics driver, specifically within the performance configuration management. This issue arises from a race condition where userspace can manipulate the timing of object creation and deletion, leading to the potential for dereferencing a freed object. The vulnerability is present in Linux kernel versions 4.14 and later.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, userspace can guess the ID values used in the i915 performance configuration interface. By racing the creation of an 'oa_config' object with the removal of a configuration, it is possible to trigger the use-after-free condition. This can be done by first sending a request to add a configuration, then quickly sending a request to remove it before the first request is fully processed. If the object is dereferenced after the metrics lock is released, the use-after-free vulnerability is triggered.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.