Linux Kernel Cgroup Storage Map End-of-List Detection Vulnerability

A vulnerability in the Linux kernel's handling of cgroup storage maps can lead to incorrect data being read and potentially exposed to userspace. This issue arises because the function responsible for retrieving keys from the storage map does not properly recognize when it has reached the end of the list. Instead of returning a 'no more entries' signal, it reads from a faulty pointer that overlaps with internal map fields, copying erroneous data to userspace. The vulnerability is present in the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability allows for the incorrect reading of storage keys, which can lead to the exposure of invalid data from internal map fields to userspace.

Reproduction

The vulnerability can be reproduced by accessing the cgroup storage maps and iterating through the entries. The 'get_next_key' function will fail to return the correct end-of-list indication for the last entry, instead providing a bogus pointer that aliases internal map fields. This can be observed by monitoring the data returned to userspace, which will include the incorrect information from the internal map fields.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.