Linux Kernel Race Condition Vulnerability in DRM Gem Handle Management

A race condition vulnerability has been identified in the Linux kernel's Direct Rendering Manager (DRM) component, specifically within the handling of Graphics Execution Manager (GEM) objects. This vulnerability arises in the 'drm_gem_change_handle_ioctl' function, where an object can be associated with two different IDR (ID Radix Tree) entries. If a 'gem_close' operation is executed concurrently, it can delete the object and remove one handle while leaving the other handle dangling. This dangling handle can then be dereferenced, leading to a use-after-free condition.

Impact

Exploitation of this vulnerability could result in a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by invoking the 'drm_gem_change_handle_ioctl' function while simultaneously closing a GEM object. This can be achieved by creating a scenario where one part of the code is changing the handle of a GEM object, while another part is closing the same object, thus introducing the race condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is '5e28b7b94408897e41c63477aabc9e1db439bc8c', which is included in the official Linux kernel stable releases.