CVE-2023-54202

Vulnerability

Overview

A use-after-free (UAF) vulnerability exists in the Linux kernel's i915 graphics driver, specifically in the i915_perf_add_config_ioctl function. The root cause is a race condition where userspace can guess an oa_config object's ID and race the object creation with a concurrent removal operation. If the object is dereferenced after the metrics_lock is released, the freed memory can be accessed, leading to a UAF condition [1].

Exploitation

To exploit this vulnerability, an attacker must have local access to the system and the system and be able to interact with the i915 perf subsystem. The attack requires precise timing to guess the ID of an oa_config object and trigger the race between creation and removal. No special privileges beyond normal user access to the DRM subsystem are mentioned in the source [1].

Impact

Successful exploitation could allow an attacker to cause a denial of service (system crash) or potentially escalate privileges, as UAF bugs in kernel drivers often lead to arbitrary code execution. The vulnerability is classified as a high-severity issue due to the possibility for local privilege escalation [1].

Mitigation

The fix has been applied in the Linux kernel stable tree via commit 49f6f6483b652108bcb73accd0204a464b922395, which ensures that the metrics_lock is not released until after all dereferences of the oa_config object are complete [1]. Users should apply the latest kernel updates to their distribution to remediate this vulnerability.