Linux Kernel Flow Block Callback Use-After-Free Vulnerability in Traffic Control API

A use-after-free vulnerability has been identified in the Linux kernel's traffic control (tc) subsystem, specifically within the classful queuing discipline API. This issue arises in versions of the kernel prior to the latest stable release. The vulnerability is caused by the improper management of flow block callback instances during the binding process of traffic control blocks. When an error occurs, the callback instances are left in a dangling state, pointing to freed memory, which can be exploited.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where the system attempts to access memory that has already been freed, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by creating a traffic control block and triggering an error that causes the block's callback list to be freed. The flow block callback instances will remain in the driver list, creating dangling pointers that can be accessed, leading to the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.