Linux Kernel DAMON Sysfs Interface Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's DAMON sysfs interface, specifically within the 'memcg_path' and 'path' files. This issue arises because user-driven reads and writes to the 'memcg_path' file are not properly synchronized, allowing reads to access deallocated memory. The vulnerability can occur when separate open files are used for reading and writing, a common practice. The problem has been addressed by introducing a locking mechanism to synchronize access to these sysfs files.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, allowing for potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by writing to the 'memcg_path' file in the DAMON sysfs interface using one open file, while simultaneously reading from the same file using a different open file. This race condition occurs because the write operation deallocates the memory buffer pointed to by 'memcg_path', creating a use-after-free scenario. The issue does not arise when the same open file is used for both reading and writing, due to the inherent locking mechanism of kernfs.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this patch is applied.