Linux Kernel Futex Use-After-Free Vulnerability in Memory Policy Handling

A use-after-free vulnerability has been identified in the Linux kernel's futex implementation, specifically in versions prior to the patch referenced in this CVE. The issue arises in the 'futex_key_to_node_opt()' function, where the virtual memory area's policy is read under a speculative memory map lock and RCU. Concurrently, the 'mbind()' function may invoke 'vma_replace_policy()', which immediately frees the old memory policy. This creates a race condition, allowing 'futex_key_to_node()' to dereference a freed memory policy pointer, leading to a use-after-free read of the policy's mode. The vulnerability was reported by Hao-Yu Yang and is fixed by adding RCU synchronization to the memory policy management functions.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where freed memory is accessed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by creating a race condition between the 'futex_key_to_node_opt()' and 'vma_replace_policy()' functions. This can be done by invoking 'mbind()' to replace the virtual memory area's policy while simultaneously calling 'futex_key_to_node_opt()', which will read the old policy from a freed memory location, causing a use-after-free error.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been patched.