Linux Kernel Rust Binder Race Condition Vulnerability in Death List Management

A race condition vulnerability has been identified in the Rust Binder component of the Linux kernel. This issue arises from an unsafe operation that improperly manages the death list of nodes, potentially leading to memory corruption. The vulnerability occurs when a node's death list is modified while another thread may be accessing it, creating a data race on the list's pointers. This flaw can cause kernel crashes by disrupting the normal handling of memory addresses, particularly those between user and kernel space.

Impact

Exploitation of this vulnerability can lead to memory corruption, causing crashes by disrupting kernel memory management and handling of virtual addresses.

Reproduction

The vulnerability can be reproduced by triggering a scenario where the Node::release method is called. This method takes a lock, moves items to a local stack list, drops the lock, and then iterates over the local list. Meanwhile, another thread can use the unsafe remove method on the original death list, which is not protected by a lock, leading to a race condition and memory corruption of the list pointers.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.