Linux Kernel Use-After-Free Vulnerability in IPv6 Multicast Routing

A use-after-free vulnerability has been identified in the Linux kernel's IPv6 multicast routing implementation. This issue arises in the 'ip6mr_sk_done()' function when the 'addrconf_init_net()' initialization fails. The vulnerability occurs because 'devconf_all', a pointer to the network's IPv6 device configuration, is released during the failed initialization. When 'ip6mr_sk_done()' is subsequently called, it accesses the invalid pointer, leading to a memory access error. The vulnerability has been addressed in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a new network namespace and initializing the IPv6 address configuration. If the initialization fails, the 'devconf_all' pointer becomes invalid. When 'ip6mr_sk_done()' is called to clean up, it accesses the invalid pointer, causing a use-after-free condition. This can be observed in the kernel's call trace, where the 'ip6mr_sk_done()' function is called with a freed pointer, leading to a memory access violation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.