Linux Kernel Slab-Use-After-Free Vulnerability in IP VTI Device

A slab-use-after-free vulnerability has been identified in the Linux kernel's IP VTI (Virtual Tunnel Interface) implementation, specifically when the VTI device is configured with the SFB (Stochastic Fairness Buffer) queuing discipline. This issue arises because the control block (cb) field of the transmitted socket buffer (skb) can be altered during the enqueuing process. As a result, when the IP VTI device transmits IPv6 packets, it may lead to a use-after-free condition. The vulnerability has been addressed by modifying the transmission process to ensure the cb field is properly reset before sending packets.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, configure an IP VTI device to use the SFB queuing discipline. Then, send IPv6 packets through the VTI device. The vulnerability can be observed as a slab-use-after-free condition, which may be exploited to execute arbitrary code or cause a system crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.