Linux Kernel Eventpoll Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's eventpoll implementation. The issue arises because the ep_free() function in eventpoll.c can free the eventpoll structure while it is still being accessed by another thread. This vulnerability has been addressed by modifying the memory deallocation to occur after an RCU (Read-Copy-Update) grace period, ensuring that the structure is no longer in use before it is freed.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, create a scenario where multiple threads concurrently access and modify eventpoll structures. This can be done by using epoll-based I/O multiplexing in a multithreaded application, where one thread modifies the eventpoll state while another thread is processing events. The race condition can be triggered by freeing an eventpoll structure that is still being used, leading to a use-after-free vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.