Linux Kernel uacce Driver Double Free Vulnerability via Improper mremap Handling

A vulnerability has been identified in the Linux kernel's uacce driver, specifically within the virtual memory operations. The issue arises because the uacce_vm_ops does not properly manage the mremap operation, which can lead to a double free scenario. When an application remaps memory addresses without the driver explicitly handling this operation, it can inadvertently cause the same resource to be freed multiple times, leading to potential memory corruption.

Impact

Exploitation of this vulnerability could result in memory corruption due to a double free condition, where a resource is freed twice, potentially leading to use-after-free vulnerabilities or other memory management issues.

Reproduction

To reproduce this vulnerability, an application can first map a memory address using mmap, then remap it to a new address with mremap. After unmapping the original address, the application can unmap the new address. The default mremap behavior will copy the original memory area's private data to the new area, causing both unmap operations to close the virtual memory area and free the associated resource twice.

Remediation

Users can apply the latest patches from the Linux kernel stable tree to address this vulnerability.