Linux Kernel Fastrpc Double-Free Vulnerability in Remote Heap Management

A double-free vulnerability has been identified in the Linux kernel's fastrpc subsystem, specifically in versions 6.2 and later. The issue arises in the 'fastrpc_init_create_static_process' function, which can free the 'remote_heap' pointer without clearing it. If the 'INIT_CREATE_STATIC' ioctl encounters an error and the associated rpmsg device is removed, the 'remote_heap' can be freed again, leading to a double-free condition. This vulnerability was discovered through static analysis and manual code review.

Impact

Exploitation of this vulnerability can lead to a double-free condition, which may cause memory corruption issues.

Reproduction

The vulnerability can be reproduced by triggering the 'INIT_CREATE_STATIC' ioctl in the fastrpc subsystem, causing it to hit the error path. This will free the 'remote_heap' pointer without nullifying it. If the rpmsg device is then removed, the 'remote_heap' pointer will be freed again, creating a double-free situation.

Remediation

Users can apply the available patch, which clears the 'remote_heap' pointer after freeing it in the error path, to prevent the double-free condition. The patched version can be obtained from the Linux kernel stable tree.