Linux Kernel GPIB Subsystem Use-After-Free Vulnerability in IO IOCTL Handlers

A use-after-free vulnerability has been identified in the Linux kernel's GPIB (General Purpose Interface Bus) subsystem, specifically within the IO ioctl handlers: IBRD, IBWRT, IBCMD, and IBWAIT. The issue arises because these handlers use a pointer to a gpib_descriptor after releasing a mutex, creating a window where a concurrent IBCLOSEDEV ioctl can free the descriptor, leading to the use-after-free condition. The vulnerability is rooted in the IO handlers' management of mutexes and descriptor pointers, which can be exploited by manipulating the timing of IO operations and device close commands.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by sending a request to one of the affected IO ioctl handlers (IBRD, IBWRT, IBCMD, or IBWAIT) while simultaneously issuing an IBCLOSEDEV ioctl for the same gpib_descriptor. This can be done by first calling the IO ioctl handler, which releases the mutex, and then quickly issuing the IBCLOSEDEV ioctl before the handler completes, allowing the descriptor to be freed while it is still in use.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.