Linux Kernel Raw Socket NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's handling of raw sockets. This issue arises in the 'raw_get_next()' function, where one thread can iterate over a socket that is being freed by another thread in a different network namespace. The vulnerability was introduced after raw sockets were converted to use Read-Copy-Update (RCU) synchronization, allowing for lockless iteration over the sockets. However, this new approach can lead to a NULL dereference if a socket is unregistered while it is being accessed. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a general protection fault, caused by a NULL pointer dereference. This type of error can often be exploited to cause a denial of service by crashing the system or application.

Reproduction

The vulnerability can be reproduced by creating a raw socket and then simultaneously freeing it in another network namespace while another thread is iterating over the sockets. This can be done using the 'unshare' command to create a new network namespace, and then opening a raw socket in that namespace. After that, the socket can be freed while another thread is still reading from it, causing a NULL pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.