Linux Kernel Refcount Underflow Vulnerability in IPv6 Address Configuration

A potential refcount underflow vulnerability has been identified in the Linux kernel's IPv6 address configuration module. This issue arises in the 'addrconf_mod_rs_timer()' function, where the reference count for the 'idev' structure may be improperly managed. The vulnerability is present in several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a refcount underflow, causing memory management issues that could be exploited to manipulate the kernel's handling of IPv6 addresses.

Reproduction

The vulnerability can be reproduced by activating the router solicitation timer ('rs_timer') for an IPv6 device without properly holding the associated 'idev' reference. This can be done by modifying the 'rs_timer' timeout while the timer is still pending, which creates a window where the 'idev' reference is not held, but the timer callback is executed, leading to a refcount underflow.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.