Linux Kernel TIPC Subsystem Use-After-Free Vulnerability in Connection Closure

A use-after-free vulnerability has been identified in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem, specifically within the connection closure process. This issue arises when the TIPC server infrastructure is dismantled, leading to a null pointer dereference. The vulnerability occurs because the function responsible for closing connections is called after releasing a lock, creating a window where the connection may no longer be valid. This flaw can be exploited by concurrent operations that manipulate connection references, potentially causing memory corruption.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed memory location is accessed, commonly resulting in memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initiating a TIPC connection and then dismantling the associated network namespace. During this process, the TIPC server stops and iterates through active connections, closing each one. However, the connection closure function is called after releasing the lock that protects access to the connection data. If the last reference to a connection is released while the lock is still held, the connection may be accessed after it has been freed, causing a use-after-free error.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the latest version can be found on the official Linux kernel website.