Linux Kernel KVM: arm64 Vgic-its Translation Cache Reference Vulnerability

A vulnerability in the Linux kernel's KVM for arm64 architecture has been addressed. The issue arose in the Virtual Generic Interrupt Controller (VGIC) Interrupt Translation Service (ITS) handling. The function responsible for invalidating the translation cache improperly managed reference counts, leading to a potential use-after-free scenario. This flaw allowed the same cache entry to be erased and its reference dropped multiple times concurrently, creating a risk of accessing freed memory while still mapped by an Interrupt Translation Entry (ITE).

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, allowing for memory corruption or potentially arbitrary code execution.

Reproduction

To reproduce this vulnerability, invoke the 'vgic_its_invalidate_cache' function while the ITS command handlers are active. This function will iterate over the translation cache and incorrectly drop reference counts on cache entries. If multiple contexts erase the same entry simultaneously, the reference count can be decremented more than once, leading to a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.