Linux Kernel Regulator Supply Alias List Race Condition Vulnerability

A vulnerability in the Linux kernel's regulator core has been addressed, which involved improper handling of the regulator_supply_alias_list. This list was accessed without appropriate locking mechanisms in several functions, including regulator_supply_alias, regulator_register_supply_alias, and regulator_unregister_supply_alias. The lack of synchronization allowed for concurrent operations to interfere with each other, potentially leading to a use-after-free condition if an alias entry was removed while being accessed, the creation of duplicate entries when two threads registered the same alias, and inconsistent alias mappings observed by consumers. The vulnerability has been fixed by adding mutex locks to protect all traversals, insertions, and deletions on the regulator_supply_alias_list, using the existing regulator_list_mutex.

Impact

The vulnerability could cause a use-after-free condition, allowing for memory corruption issues. It could also lead to duplicate entries in the alias list, causing confusion in alias mappings for consumers.

Reproduction

The vulnerability can be reproduced by concurrently registering and unregistering supply aliases from different threads without proper synchronization. This can be done by creating a program that uses multiple threads to call the regulator_register_supply_alias and regulator_unregister_supply_alias functions simultaneously, which will expose the race condition by causing duplicate entries or a use-after-free situation.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.