Cryptodev-Linux Privilege Escalation Vulnerability via Page Reference Handling Flaw

A use-after-free vulnerability has been identified in the Cryptodev-Linux kernel module, specifically in versions through 1.14. The issue arises in the 'get_userbuf' function of the '/dev/crypto' device driver, where improper handling of page references allows local users to decrement the reference counts of controlled pages. This exploitation can lead to the freeing of pages while they are still accessible, creating a use-after-free condition that can be leveraged for local privilege escalation.

Impact

Exploitation of this vulnerability allows for local privilege escalation by manipulating page reference counts to create a use-after-free condition, which can be exploited to gain elevated privileges.

Reproduction

The vulnerability can be reproduced by allocating a large number of pages in a process, which depletes the 'MIGRATE_UNMOVABLE' freelists. Afterward, the 'get_userbuf' function can be called with a destination buffer that is invalid, triggering the use-after-free condition. Once the pages are freed, they can be flushed back to the buddy allocator and reallocated as slab pages, where the 'struct file' objects can be sprayed and manipulated to gain write access to files like '/etc/passwd'.

Remediation

Users can update to Cryptodev-Linux version 1.15 or later, where this vulnerability has been fixed.