Linux Kernel BPF Sockmap TCP Socket Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's TCP BPF implementation within the sockmap. This issue arises in versions of the kernel prior to 6.1.0. The vulnerability occurs in the 'tcp_bpf_send_verdict' function, where the 'eval' variable is incorrectly managed. When a message has 'more_data', the 'sock_put()' function is called multiple times, leading to an attempt to release a TCP socket that is still in use. This mismanagement triggers a warning about a reference count addition on zero, indicating a use-after-free error.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a TCP socket is improperly released while still in use, potentially leading to memory corruption or other undefined behavior.

Reproduction

The vulnerability can be reproduced by sending a TCP message with the 'more_data' flag enabled while the BPF sockmap is active. This can be done by attaching a BPF program that redirects TCP traffic and applies byte-level modifications, then sending a TCP message that exceeds the applied byte limit, causing the 'more_data' condition to trigger. The 'sockhash_bypass' module can be used to facilitate this process.

Remediation

Users can upgrade to Linux kernel version 6.1.0 or later, where this vulnerability has been fixed.