Linux Kernel SMC Socket Type Confusion Vulnerability Leading to Double Free

A vulnerability in the Linux kernel's handling of socket types has been identified, specifically within the SMC (Shared Memory Communication) socket implementation. The issue arises from a type confusion that allows SMC sockets to be treated as INET sockets, despite the SMC socket structure not being compatible. This mismanagement leads to the improper handling of socket options, causing addresses in read-only memory to be freed multiple times. The vulnerability was reported by syzbot and is linked to a recent change that allowed SMC sockets to hijack INET family identifiers, creating confusion in the socket management system.

Impact

Exploitation of this vulnerability can lead to a double-free error, where memory is freed multiple times, potentially causing memory corruption or other undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by creating an SMC socket and allowing it to be treated as an INET socket. This can be done by manipulating the socket family identifiers to confuse the kernel's socket management. Once the SMC socket is misclassified, the issue can be triggered by accessing the socket options, which will inadvertently reference a function pointer in the text segment, leading to a double-free error.

Remediation

The vulnerability has been addressed in the Linux kernel by ensuring that the SMC socket structure is properly aligned with the INET socket requirements. Users should upgrade to the latest stable version of the Linux kernel where this issue has been fixed.