Linux Kernel ALSA PCM Linked Stream Runtime Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Advanced Linux Sound Architecture (ALSA) subsystem, specifically within the PCM (Pulse Code Modulation) handling. The issue arises in the 'snd_pcm_drain()' function, where the 'runtime' variable is updated to reference a linked stream's runtime without proper synchronization. This lack of synchronization allows a concurrent operation to close the linked stream and free its runtime, leading to a dangling pointer that can be dereferenced, causing memory corruption.

Impact

Exploitation of this vulnerability can lead to memory corruption, potentially allowing for arbitrary code execution or causing a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, a linked PCM stream can be created and then closed while the 'snd_pcm_drain()' function is still processing the stream. This can be done by initiating a drain operation on one stream while simultaneously closing another linked stream, which will trigger the use-after-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.