Linux Kernel Double Memory Management Vulnerability in procfs

A vulnerability in the Linux kernel's procfs implementation can lead to a double memory management issue. This occurs in the 'do_procmap_query' function when a user provides a buffer for the build ID that is incorrectly sized. The function returns an '-ENAMETOOLONG' error, but due to recent changes, this error is now handled after releasing locks and decrementing the memory reference count, leading to the double decrement. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause a double 'mmput()' operation on the 'mm_struct', which manages memory for processes. This double operation can lead to memory corruption or other unintended behavior in the kernel.

Reproduction

To reproduce this vulnerability, send a 'PROCMAP_QUERY' request with an incorrectly sized buffer for the build ID. The kernel will respond with an '-ENAMETOOLONG' error. However, this error handling will occur after the 'mmap_lock' and 'per-VMA' lock have been released, and the 'mmput()' operation has already been performed. This sequence will result in the 'mm_struct' being improperly managed, causing the double 'mmput()' issue.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.