Linux Kernel Netconsole Config Navigation Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's netconsole feature, specifically within the stable tree. This issue arises from operations that iterate over the userdata control group children list, which can conflict with concurrent additions or removals of userdata items through configfs. The lack of proper locking can lead to inconsistent access to the list, potentially causing iteration functions to hang or fail to complete. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a deadlock situation, where the iteration over the userdata list is disrupted by concurrent modifications, causing the process to hang indefinitely.

Reproduction

The vulnerability can be reproduced by initiating operations that iterate over the userdata control group children list while simultaneously adding or removing userdata items through configfs. This can be done by triggering the 'userdatum_value_store' function or any 'sysdata_*_enabled_store' functions, which will iterate over the 'cg_children' list without the necessary mutex protection, allowing for a race condition to occur.

Remediation

The vulnerability has been addressed by modifying the netconsole code to acquire the configfs subsystem mutex before performing any operations that iterate over the userdata control group children list. This change ensures that the list is accessed in a consistent state, preventing the race condition from occurring.