Linux Kernel Race Condition Vulnerability in mac_hid Emulation Handling

A race condition vulnerability has been identified in the Linux kernel's handling of Macintosh HID emulation. This issue, present in the stable Linux kernel, arises when two processes concurrently write to the mac-hid emulation sysctl. Both processes read the same initial value, then attempt to register the input handler, resulting in a double addition of the handler to the list. This vulnerability has been observed while running syzkaller, a kernel fuzzer, which triggered a warning about the double addition issue.

Impact

Exploitation of this vulnerability leads to a race condition, where concurrent processes can interfere with each other's operations, potentially causing unexpected behavior in the HID emulation functionality.

Reproduction

The vulnerability can be reproduced by concurrently writing to the mac-hid emulation sysctl from two different processes. This can be done by using a tool like syzkaller, which will simulate the concurrent writes and trigger the race condition. The kernel will generate a warning about the double addition to the list, indicating that the race condition has occurred.

Remediation

The vulnerability has been addressed by modifying the mac_hid_toggle_emumouse function to read the old value of the sysctl parameter within a mutex lock, preventing concurrent processes from interfering with each other. Users should update to the latest version of the Linux kernel where this fix has been applied.