Linux Kernel Double-Free Vulnerability in DRM/xe VM Bind IOCTL

A double-free vulnerability has been identified in the Linux kernel's DRM/xe subsystem, specifically within the VM bind IOCTL function. This issue arises when the argument check during an array bind fails, leading to the bind operations being freed twice. The vulnerability has been addressed by modifying the code to set the bind operations pointer to NULL after freeing it, preventing the double-free scenario.

Impact

Exploitation of this vulnerability could lead to memory corruption issues, commonly associated with double-free vulnerabilities, where freed memory is improperly reallocated or accessed.

Reproduction

The vulnerability can be reproduced by invoking the VM bind IOCTL with arguments that trigger a failure in the initial argument validation. This will cause the bind operations to be freed, and if the same operations are freed again before the pointer is nullified, it creates a double-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.