Linux Kernel Futex Subsystem Use-After-Free Vulnerability During Requeue-PI Operation

A use-after-free vulnerability has been identified in the Linux kernel's futex subsystem, specifically during the requeue-PI operation. This vulnerability arises from a race condition where the futex_wait_requeue_pi function can return without proper synchronization, leaving a pointer to a task structure that has already been freed. The issue was triggered by syzbot, a kernel fuzzer, and can potentially be exploited to cause undefined behavior or memory corruption.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for potential memory corruption or undefined behavior.

Reproduction

The vulnerability can be reproduced by invoking the futex_wait_requeue_pi function, which will enter a wait state. While this thread is waiting, the futex_requeue function can be called from another thread, leading to a race condition. Once the requeue operation is completed, the first thread is awakened, but it receives a corrupted pointer to the futex queue, which has been invalidated. This can be achieved by using a combination of futex operations that create a timing window where the requeue can occur before the wait is properly synchronized.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed.