Linux Kernel Comedi Subsystem Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Comedi subsystem of the Linux kernel, specifically within the handling of device polling and detachment. This vulnerability arises because the Comedi framework removes the allocated asynchronous area for a device while poll requests are still active, leading to a use-after-free condition. When the poll entries are later processed or removed, the memory for the wait queue head has already been freed, creating the potential for memory corruption.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by attaching a Comedi device and issuing a polling request while simultaneously initiating a detachment process through the COMEDI_DEVCONFIG ioctl. This sequence creates a race condition where the polling request is active, but the device is being detached, allowing the vulnerability to manifest as a use-after-free condition.

Remediation

The vulnerability has been addressed by modifying the COMEDI_DEVCONFIG ioctl handler to include a write-lock on the device's attachment lock before checking the status of the subdevices. This ensures that no polling requests are active before the device is detached.