Linux Kernel Privcmd Driver Double Free Vulnerability

A double free vulnerability has been identified in the Linux kernel's privcmd driver, which is used in Xen virtualization. This issue arises because the privcmd_vm_ops structure does not properly manage virtual memory area (VMA) operations. When userspace partially unmaps a privcmd mapping, the kernel splits the VMA, allowing both resulting VMAs to point to the same private data array. This duplication leads to a double free when the VMAs are closed and destroyed. The vulnerability affects Linux domains running on Xen, from kernel version 3.8 onwards.

Impact

Exploitation of this vulnerability allows a domain administrator to perform actions that bypass kernel lockdown restrictions, potentially leading to unauthorized modifications in the kernel.

Reproduction

To reproduce this vulnerability, a partial unmap operation must be performed on a privcmd mapping in a Linux domain running Xen. This can be done by using the munmap system call to unmap a portion of the privcmd VMA, which will trigger the VMA splitting process. The privcmd_close function will then be called for the unmapped portion, leading to the double free condition.

Remediation

Users can apply the patch included in the Xen Security Advisory XSA-487 to address this vulnerability. The patch is available in the Linux kernel stable tree.