Linux Kernel rpmsg Driver Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's rpmsg driver, specifically within the driver_override_show and driver_override_store functions. The issue arises because driver_override_show reads the driver_override string without holding the device lock, while driver_override_store modifies and frees the string while the device lock is engaged. This discrepancy can lead to a use-after-free condition, where the string is freed by the store function before the show function has finished reading it. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability creates a race condition that can be exploited to cause a use-after-free error, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by accessing the driver_override attribute of an rpmsg device. The driver_override_show function will read the attribute without the device lock, while the driver_override_store function can modify and free the attribute's string while holding the lock. This creates a window where the string can be prematurely freed, causing a use-after-free condition.

Remediation

The vulnerability has been addressed by updating the rpmsg driver to use explicit show and store functions for the driver_override attribute. The revised driver_override_show function now properly holds the device lock during read operations, preventing the race condition. Users should upgrade to the patched version of the Linux kernel where this vulnerability has been fixed.