Linux Kernel BPF Sockmap Ingress SKB Reference Count Race Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's BPF sockmap implementation. This issue arises from a race condition where socket buffers (SKBs) in the socket's PSock backlog can be accessed after the userspace has already consumed them, leading to a reference count drop to zero and causing a use-after-free scenario. The vulnerability is present in the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a general protection fault, indicating a use-after-free condition that can potentially be exploited to execute arbitrary code or cause a denial-of-service.

Reproduction

The vulnerability can be reproduced by using the 'test_progs' tool with the 'sockmap_listen' test. This will trigger the PSock backlog processing, where the race condition occurs by dequeuing SKBs that have already been freed by the userspace.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed.