Linux Kernel DAMON Subsystem Use-After-Free Vulnerability in Inactive Contexts

A use-after-free vulnerability has been identified in the Linux kernel's DAMON (Data Access Monitoring) subsystem. This issue arises when the damon_call() function is invoked on a DAMON context that is not active. The function returns an error but leaves a control object linked to the context's call_controls list. If this object is deallocated and another damon_call() is made to the same context, the function attempts to add a new control object to a list that still references the now-deallocated object, leading to a use-after-free condition. This vulnerability can be triggered through the DAMON sysfs interface, although exploitation is not straightforward as it requires sysfs write permissions and unusual file write operations.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, first, ensure that the DAMON subsystem is active and that the target context is not running. Then, invoke the damon_call() function on the inactive context. The function will return an error while leaving the damon_call_control object linked to the context's call_controls list. After the control object is deallocated, repeat the damon_call() invocation on the same context. The function will attempt to add a new damon_call_control object to the call_controls list, referencing the previously deallocated object, thus triggering the use-after-free vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.