Linux Kernel BPF Sockmap Use-After-Free Vulnerability in Socket Map Free Function

A use-after-free vulnerability has been identified in the Linux kernel's BPF sockmap implementation. The issue arises in the 'sock_map_free()' function, which calls 'release_sock(sk)' without holding a reference to the socket. This oversight can lead to a use-after-free condition, as reported by syzbot. The problem is similar to a previously addressed issue in 'sock_hash_free()'. The vulnerability causes a reference count decrement to hit zero, leading to memory leakage.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the BPF sockmap feature in the Linux kernel. When a socket is freed in the sockmap without proper reference management, it triggers the use-after-free condition. This can be automated with a syzkaller fuzzing campaign, which has already reported the issue.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.