Linux Kernel Object Extension Race Condition Vulnerability in Slab Allocator

A race condition vulnerability has been identified in the Linux kernel's slab allocator. This issue arises in the 'alloc_slab_obj_exts()' function, where two competing threads may interfere with each other. If one thread fails to allocate the object extension vector, it can mistakenly overwrite a valid extension vector from another thread with a failure indicator. This interference can lead to a null pointer dereference in the thread that lost the race. The vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a null pointer dereference, causing a kernel crash. In certain scenarios, this could be exploited to execute arbitrary code with kernel privileges.

Reproduction

To reproduce this vulnerability, two threads must be created that simultaneously call the 'alloc_slab_obj_exts()' function. One thread should be configured to fail the object extension allocation, while the other successfully allocates a valid extension vector. The thread that fails will overwrite the valid allocation in the other thread, leading to a null pointer dereference.

Remediation

The vulnerability has been addressed by updating the object extension pointer in a thread-safe manner, using an atomic compare-and-swap operation. Users should upgrade to the latest version of the Linux kernel stable tree where this fix has been applied.