Linux Kernel Slab Object Extension Handling Vulnerability

A vulnerability exists in the Linux kernel's management of slab object extensions, specifically related to the handling of empty codetags. When the allocation of a slab extension vector fails and subsequently succeeds, the kernel marks all objects in the vector as empty. This process inadvertently sets the object's extension to 'CODETAG_EMPTY'. If this slab is later used to allocate an extension vector for another slab, the second slab's object extensions may point to a vector that contains 'CODETAG_EMPTY'. When the second slab is freed, the kernel attempts to clear the object extensions, leading to a warning because it expects a NULL value instead of 'CODETAG_EMPTY'. This vulnerability can cause the kernel to generate misleading warnings or errors, potentially obscuring real issues.

Impact

Exploitation of this vulnerability can lead to a kernel panic, causing a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a slab object extension vector, allowing the allocation to fail, and then succeeding in a subsequent allocation. This process will set the object's extension to 'CODETAG_EMPTY'. If the same slab is then used to allocate an extension vector for a different slab, the second slab will inherit the 'CODETAG_EMPTY' extension. When the second slab is freed, the kernel will generate a warning about the improper extension handling, indicating the vulnerability has been triggered.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.