Linux Kernel Use-After-Free Vulnerability in VMWGFX Validation

A use-after-free vulnerability has been identified in the Linux kernel's VMWGFX graphics driver. This issue arises in the validation nodes stored in the validation duplicates hashtable, which are managed by an arena allocator. The vulnerability occurs because the allocator is cleared at the end of the 'vmw_execbuf_process' function', prematurely destroying the resources of some nodes. Although all nodes should be cleared in 'vmw_validation_drop_ht', this particular node was missed, leading to the use-after-free condition.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by adding a resource to the validation context in the VMWGFX driver. If the resource is destroyed before the validation node is cleared from the hashtable, a use-after-free condition will occur. This can be done by manipulating the resource lifecycle to ensure that it is prematurely destroyed, while still being referenced in the validation duplicates hashtable.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.