Linux Kernel SKB Coalescing Race Condition Vulnerability Leading to Use-After-Free or Double-Free Errors

A vulnerability in the Linux kernel's handling of socket buffer (SKB) coalescing can lead to use-after-free or double-free errors. This issue arises from a race condition between coalescing SKBs and releasing them, particularly when dealing with cloned SKBs and page pool fragment recycling. The vulnerability is present in the Linux kernel stable tree, specifically in versions through 6.2.0.

Impact

Exploitation of this vulnerability causes use-after-free or double-free errors, disrupting memory management and potentially leading to arbitrary code execution or system crashes.

Reproduction

The vulnerability can be reproduced by coalescing socket buffers (SKBs) while one of them is cloned and has page pool fragment recycling enabled. If the cloned SKB is released before the coalescing process is complete, it creates a race condition. This can be observed by monitoring the reference counts of the fragmented pages, which may become inconsistent, leading to a double-free error when the SKB is released.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree to address this vulnerability.