Linux Kernel vhost Task Reference Management Vulnerability

A vulnerability in the Linux kernel's vhost task management can lead to a use-after-free issue. The vulnerability arises in the vhost_task_create() function, which creates a task and retains a reference to its task_struct. If the task exits prematurely due to a signal, the task_struct is released. Subsequently, a pending vhost_task_wake() call may try to access the released task_struct, leading to potential instability. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, where a reference is made to a memory structure that has already been released. This can lead to undefined behavior, including memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a vhost task that is designed to exit early due to a signal. This can be done by initiating a task using the vhost_task_create() function and then sending a signal to terminate the task before it can be properly managed by the vhost_task_wake() function. The vhost_task_wake() call will then attempt to access the task_struct, which has already been released, causing the use-after-free condition.

Remediation

The vulnerability has been addressed in the Linux kernel stable tree. Users should upgrade to the latest version of the kernel available in the Linux kernel stable tree.