Linux Kernel GTP List Corruption Vulnerability in Network Namespace Cleanup

A list corruption vulnerability has been identified in the Linux kernel's GTP (GPRS Tunneling Protocol) implementation. This issue arises during the network namespace cleanup process, specifically in the 'gtp_net_exit_batch_rtnl()' function. The vulnerability occurs when the 'for_each_netdev()' loop, introduced by a recent commit to manage GTP devices across different network namespaces, inadvertently calls the 'dellink()' method twice for the same device. This double unlinking can corrupt the device's list management, especially when the kernel's debug list feature is enabled.

Impact

Exploitation of this vulnerability leads to a kernel list corruption, causing a kernel panic due to an invalid opcode error. This type of list corruption can be exploited to manipulate kernel data structures, potentially leading to arbitrary code execution or other severe consequences.

Reproduction

The vulnerability can be reproduced by creating a GTP device in one network namespace and its corresponding UDP socket in another. When the network namespaces are cleaned up, the 'gtp_net_exit_batch_rtnl()' function will mistakenly unlink the GTP device twice, once for each namespace, before the device is fully unregistered. This can be observed by enabling the kernel's list debugging features, which will report the corruption caused by the double unlinking.

Remediation

The vulnerability has been addressed by removing the problematic 'for_each_netdev()' loop in the 'gtp_net_exit_batch_rtnl()' function and allowing the default device exit process to handle the cleanup.