Linux Kernel GTP Subsystem Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's GTP (GPRS Tunneling Protocol) subsystem, specifically within the function '__gtp_encap_destroy()'. This vulnerability arises because the function improperly manages socket references, leading to the potential for illegal memory access. The issue was reported by syzkaller, which demonstrated that a socket was freed and then accessed again, causing a use-after-free condition. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where memory that has already been freed is accessed again. This can potentially allow for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by creating a socket and then deleting it while still holding a reference to its user data. This can be done by using the GTP subsystem to manage the socket, and then triggering the deletion process through the network device uninitialization routine. The syzkaller tool can automate this process, as it has been used to discover the vulnerability.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.