Linux Kernel habanalabs Component Use-After-Free Vulnerability in DMA-Buf Export Function

A use-after-free vulnerability has been identified in the Linux kernel's habanalabs component, specifically within the export_dmabuf() function. This issue arises when a file reference is inserted into the descriptor table; another thread could potentially close it. While this scenario is manageable when merely returning the descriptor to userland, it becomes problematic if fd_install() is followed by access to objects that are destroyed upon closure. The vulnerability occurs because export_dmabuf() calls dma_buf_fd(), which combines reserving a descriptor and fd_install(), and then accesses objects that may have already been destroyed. The vulnerability has been addressed by modifying the function to reserve the descriptor before any other actions and to perform fd_install() only after everything is set up, eliminating the previous race condition.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, allowing for potential memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.