Linux Kernel mISDN Data-Race Vulnerability in Timer Device Handling

A data-race vulnerability has been identified in the Linux kernel's mISDN subsystem, specifically within the timer device management. This issue allows the 'dev->work' variable to be read without proper synchronization in the 'mISDN_read()' and 'mISDN_poll()' functions. The vulnerability arises from the absence of appropriate memory access annotations, which can lead to inconsistent data being processed. The data-race was detected by the Kernel Concurrency Sanitizer (KCSAN), highlighting potential risks in how timer events are managed within the mISDN driver.

Impact

Exploitation of this vulnerability could lead to undefined behavior in the mISDN driver, particularly in how timer events are handled, potentially causing incorrect processing of ISDN data or events.

Reproduction

The vulnerability can be reproduced by invoking the 'mISDN_ioctl' function, which triggers a write operation to the 'dev->work' variable. This can be done by adding a timer through the 'misdn_add_timer' function, which updates the 'work' variable and wakes up any processes waiting on the 'dev->wait' condition. Simultaneously, the 'mISDN_read' function can be called to read the 'work' variable, creating a race condition by accessing the variable without proper locking. This scenario can be automated with a script that uses the 'syzbot' fuzzer, which is designed to find such concurrency issues.

Remediation

The vulnerability has been addressed by adding the necessary memory access annotations to the 'dev->work' variable, ensuring that it is read and written with proper synchronization. Users should upgrade to the latest patched version of the Linux kernel.