Linux Kernel Use-After-Free Vulnerability in perf_mmap

A use-after-free vulnerability has been identified in the Linux kernel's perf subsystem, specifically within the perf_mmap() function. This issue arises from a race condition between a failing memory mapping setup and a simultaneous mapping operation on a related event, such as one using output redirection. When the mapping process fails, the cleanup function perf_mmap_close() is called. However, this can create a window where another thread might access a partially initialized or about-to-be-freed ring buffer, leading to a use-after-free condition. The vulnerability has been addressed by modifying the mutex handling to ensure that the ring buffer setup and mapping operations are completed atomically, preventing concurrent threads from interfering with the process.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing memory corruption issues that could be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a scenario where a memory mapping operation in perf_mmap() fails, while simultaneously another thread attempts to access the same event through inherited events or output redirection. This can be achieved by using a tool like Syzkaller, which reported the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.