Linux Kernel NBD Subsystem Use-After-Free Vulnerability in Error Handling Path

A use-after-free vulnerability has been identified in the Linux kernel's Network Block Device (NBD) subsystem. This issue arises in the error handling path of the 'nbd_genl_connect()' function, specifically in block device 'nbd6'. When an error occurs, the function fails to properly stop the device before releasing its configuration, leading to a use-after-free condition. The vulnerability was detected using the Kernel Address Sanitizer (KASAN), which reported a slab-use-after-free error in the 'recv_work' function. The issue affects Linux kernel versions prior to 6.15.0-rc5.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering a control reception failure on the 'nbd6' block device. This can be done by simulating a failure in the 'nbd_genl_connect()' function, which handles the connection of NBD devices. The error path will be activated, causing the vulnerability to manifest as a use-after-free issue in the 'recv_work' function.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.