Linux Kernel SUNRPC Double Free Vulnerability in xprt_ctxt Management

A double free vulnerability has been identified in the Linux kernel's SUNRPC implementation, specifically in how the xprt_ctxt pointer is managed during deferred RPC requests. When a request is deferred, the xprt_ctxt pointer is transferred from the svc_rqst to the svc_deferred_req. If the deferred request is revisited and deferred again, the old svc_deferred_req is reused without clearing the xprt_ctxt pointer. This oversight can lead to the xprt_ctxt being freed multiple times, causing a kernel oops error. The vulnerability affects the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a double free error, causing a kernel oops, which is a type of error that can destabilize the system.

Reproduction

To reproduce this vulnerability, an RPC request must be deferred twice. The first deferral moves the xprt_ctxt pointer to the svc_deferred_req. When the request is deferred a second time, the old svc_deferred_req is reused, but the xprt_ctxt pointer is not cleared. This allows the xprt_ctxt to be referenced again when the deferred request is processed, leading to the xprt_ctxt being freed a second time, causing a double free error.

Remediation

The vulnerability has been addressed in a patch that is available in the Linux kernel stable tree. Instructions for applying the patch can be found in the Linux kernel Git repository.