Linux Kernel Use-After-Free Vulnerability in AF_UNIX Socket Handling

A use-after-free vulnerability has been identified in the Linux kernel's handling of out-of-band (OOB) data in AF_UNIX sockets. This issue arises in the 'unix_stream_read_generic' function, where consecutive consumed OOB skbs (socket buffers) are not properly managed. The vulnerability can be exploited by sending OOB data through one socket of a pair, leaving the consumed skbs in the receive queue. When the next OOB message is sent, the 'recv' operation can inadvertently access and free a previously consumed skb, leading to a use-after-free condition. This exploitation triggers a memory corruption error, as reported by the Kernel Address Sanitizer (KASAN). Additionally, the 'ioctl(SIOCATMARK)' command does not function correctly in the presence of consecutive consumed OOB skbs, further complicating the issue.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to memory corruption. This can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a pair of UNIX stream sockets and sending out-of-band data with the 'send' function. After sending the first OOB message, the corresponding socket can be read with 'recv', which consumes the skb but leaves it in the queue. This process can be repeated, leaving multiple consumed OOB skbs in the receive queue. The vulnerability is then triggered by reading the next OOB message, which accesses a consumed skb that has already been freed, creating a use-after-free condition.

Remediation

The vulnerability has been addressed in the official Linux kernel repository. Users should upgrade to the latest version of the Linux kernel where this issue has been fixed.