Linux Kernel iommufd Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's IOMMU file descriptor handling, specifically within the iommufd component. This vulnerability arises because the file descriptor's release is not processed synchronously, creating a potential use-after-free (UAF) situation. The issue occurs when the allocation of a new iommufd object fails before the associated file descriptor is fully established, causing the file to be released while the object is still expected to be valid. This flaw can be exploited, as demonstrated by a syzkaller test, leading to a UAF condition where the system attempts to access freed memory, potentially causing instability or allowing for arbitrary code execution.

Impact

Exploitation of this vulnerability causes a use-after-free condition in the iommufd event queue file operations, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by allocating a new iommufd object and causing the allocation to fail before the associated file descriptor is fully established. This can be done by using the 'close()' and 'ioctl(IOMMU_DESTROY)' commands, which trigger the asynchronous release of the file descriptor, creating a race condition that the vulnerability exploits.

Remediation

Users can update to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.