Kernel Vmalloc Use-After-Free in the ION Allocator

We discussed this vulnerability during Episode 86 on 28 September 2021

A Use-After-Free in Android’s ION Allocator used by the kernel for DMA buffers that can be shared across user/kernel/device boundaries. The issue starts from the DMA_BUF_IOCTL_SYNC that is exposed by the buffer’s file descriptor, this IOCTL can arbitrarily increment or decrement the reference counter for the shared buffer. Enabling a malicious user-space application to allocate a DMA buffer, pass it into another kernel function and then trigger the reference count to drop to zero resulting in it being freed while the other function is still using it.