Linux Kernel Use-After-Free Vulnerability in VMA Management

A use-after-free vulnerability has been identified in the Linux kernel's virtual memory area (VMA) management. This issue arises in the handling of anonymous VMA merges during the 'mremap()' operation, particularly when a faulted VMA is adjacent to an unfaulted VMA. The vulnerability was introduced in a patch that allowed previously unavailable VMA merge scenarios, but it failed to correctly manage merges in certain cases, leading to the use-after-free condition. The flaw was discovered through automated testing, which revealed that the merging process improperly handled the duplication of anonymous VMA states, especially when merging new VMAs under specific conditions. As a result, the anonymous VMA could be freed while still referenced by memory folios, creating a dangling pointer situation and a use-after-free bug.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed anonymous VMA is still referenced by memory folios, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the 'mremap()' function to move a faulted VMA adjacent to an unfaulted VMA, while specifying the 'MREMAP_DONTUNMAP' flag. This operation will trigger the faulty merging logic, resulting in the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.