ChromeOS Kernel Race Condition Use-After-Free Vulnerability in virtio_vsock Component Allowing Privileged Code Execution

A race condition use-after-free vulnerability has been identified in the ChromeOS kernel version 5.4, specifically within the virtio_transport_space_update function. This vulnerability arises from concurrent allocation and deallocation of the virtio_vsock_sock structure during an AF_VSOCK connect syscall. The timing of these operations can create a dangling pointer, potentially leading to unauthorized execution of kernel code.

Impact

Exploitation of this vulnerability allows for execution of arbitrary code in the kernel context, with the potential to escalate privileges.

Reproduction

The vulnerability can be reproduced by creating AF_VSOCK sockets and initiating a connection while injecting delays to manipulate the timing of operations. This can be done by patching the ChromeOS kernel to add delays in the virtio_transport_recv_pkt function, ensuring that the first connection times out while the corresponding packet processing is still ongoing. Once the race condition is established, the use-after-free can be triggered consistently, leading to a kernel crash.

Remediation

The vulnerability has been fixed in the ChromeOS kernel by backporting an upstream patch that addresses the race condition. Users should ensure they are running a version of ChromeOS that includes this fix.