Linux Kernel Netfilter Ebtables Table Blob Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's netfilter ebtables component. This issue arises when a table blob is updated with new data and then immediately freed by the caller, creating a potential memory corruption scenario. The vulnerability was reported by syzbot, which detected a 'vmalloc-out-of-bounds' error during the unregistration of an ebtables table, indicating that the kernel attempted to read memory outside of its allocated bounds. This issue affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a memory corruption error where the kernel tries to access freed memory, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by replacing an ebtables table with a new blob while the previous blob is still in use. This can be done by using the ebtables command to modify a table, which triggers the table replacement process. The 'netns cleanup_net' workqueue can then be used to simulate the conditions under which the vulnerability occurs, as this workqueue is responsible for cleaning up network namespaces and can trigger the unregistration of ebtables tables.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is available in the Linux kernel stable tree.