Linux Kernel UAF Vulnerability in Xen Gntdev Dma-Buf Export Function

A use-after-free vulnerability has been identified in the Linux kernel's handling of DMA buffer exports within the Xen grant device. This issue arises in the 'dmabuf_exp_from_pages' function, where a file descriptor is reserved and then immediately exposed to userland. If another thread closes this descriptor before it is fully processed, it can lead to accessing freed memory. The vulnerability is particularly problematic when the closed objects are still being accessed, creating a race condition that can be exploited.

Impact

Exploitation of this vulnerability can lead to use-after-free conditions, allowing for potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by exporting a DMA buffer through the Xen grant device while simultaneously closing the file descriptor in another thread. This can be done by initiating the export process, which involves reserving a file descriptor and then immediately accessing related objects that are destroyed when the descriptor is closed. The race condition occurs because the descriptor can be closed before the export process is completed, leading to a use-after-free situation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading can be found in the official Linux kernel documentation.