Linux Kernel 9p Xen Double-Free Vulnerability in Front-End State Management

A double-free vulnerability has been identified in the Linux kernel's 9p Xen file system implementation. This issue arises in the 'xen_9pfs_front_free' function, where the 'xenwatch' thread can concurrently call this function multiple times. Such a race condition leads to a general protection fault, as the function attempts to free the same memory twice. The vulnerability has been addressed by modifying the function to ensure that only one caller can release the front-end state at a time, thereby preventing the crash.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to a non-canonical address, leading to a crash.

Reproduction

The vulnerability can be reproduced by triggering concurrent calls to the 'xen_9pfs_front_free' function from the 'xenwatch' thread and other back-end change notifications. This can be done by creating a scenario where these calls overlap, such as by rapidly changing back-end states while 'xenwatch' is processing, causing it to free the front-end state multiple times.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.