Linux Kernel BPF Subsystem Use-After-Free Vulnerability in Cgroup Link Management

A use-after-free vulnerability has been identified in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the management of cgroup links. This vulnerability arises when BPF links are detached, triggering a process that frees the link but can inadvertently leave a pointer to the freed memory. If a subsequent operation attempts to use this pointer, it can lead to a memory access error. The issue was discovered by Syzbot, a kernel fuzzer.

Impact

Exploitation of this vulnerability causes a use-after-free memory error, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating multiple BPF links and then injecting a fault that causes a memory allocation to fail while calling 'bpf_link_detach' on the links. This detachment process frees the link but can leave a pointer to the freed memory in a cgroup list. If the memory allocation fails, the function restores the pointer to the cgroup link, but the memory has already been freed. This creates a situation where subsequent calls to update the effective programs reference the deallocated pointer, triggering a use-after-free error.

Remediation

The vulnerability has been addressed in the official Linux kernel repository. Users should upgrade to the latest version of the Linux kernel where this issue has been fixed.