Executive Summary

This vulnerability exists in the Linux kernel's SysV IPC (Inter-Process Communication) ID allocation mechanism, specifically in the checkpoint/restore sysctl path. The function ipc_idr_alloc() requests the next IPC id without properly limiting the allocation range, allowing it to allocate IDs beyond the valid maximum (ipc_mni).

Because the allocation can spill beyond the valid ID range, the system encodes the new object ID with a narrower index width, causing later lookups and removals to target incorrect slots. This breaks the internal IDR (ID Radix Tree) state, leaving behind stale or dangling entries.

As a result, when shared memory objects are destroyed, the real high-index IDR slot remains as a dangling pointer. Subsequent operations, such as walking /proc/sysvipc/shm, may dereference freed memory, potentially leading to undefined behavior or system instability.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to corruption of the internal IDR state in the Linux kernel's IPC subsystem. Specifically, it can cause stale or dangling pointers to remain in the IDR data structures.

Such corruption may result in the kernel dereferencing freed memory when accessing IPC shared memory information, which can cause system instability, crashes, or potentially allow attackers to exploit the kernel memory corruption for privilege escalation or denial of service.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, ensure that the allocation of SysV IPC ids is bounded to the valid range ipc_mni. This prevents the checkpoint/restore path from allocating IDs beyond the valid range, which causes the issue.

Specifically, update or patch the Linux kernel to a version where ipc_idr_alloc() limits the next_id allocation to ipc_mni, so that the checkpoint/restore sysctl path fails once the valid range is exhausted.

Useful 0 Not Useful 0