Linux Kernel Intel Graphics Use-After-Free Vulnerability in Heartbeat Management

A use-after-free vulnerability leading to a reference count underflow has been identified in the Linux kernel's Intel graphics driver. This issue arises in versions of the kernel that include the affected Intel graphics components. The vulnerability occurs when the heartbeat worker and the function 'intel_engine_park_heartbeat()' race to release the same heartbeat request. The heartbeat worker reads the request pointer and decrements the reference count when the request is complete, but clears the pointer in a separate, non-atomic step. Meanwhile, a request retirement on another CPU can drop the engine's wake reference to zero, triggering 'intel_engine_park_heartbeat()'. If the heartbeat timer is still pending, this function reads the stale, non-NULL pointer and decrements the reference count again, causing an underflow.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a reference count underflow. This can potentially be exploited to manipulate memory management, such as creating a dangling pointer that could be used to access freed memory.

Reproduction

The vulnerability can be reproduced by having the heartbeat worker and 'intel_engine_park_heartbeat()' function concurrently attempt to release the same heartbeat request. This can be achieved by triggering a request retirement on one CPU while the heartbeat worker is processing a request on another CPU, creating a race condition that exploits the non-atomic pointer handling.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.