Linux Kernel Use-After-Free Vulnerability in RPL Header Processing

A use-after-free vulnerability has been identified in the Linux kernel's RPL (Routing Protocol for Low-Power and Lossy Networks) header processing function, rpl_do_srh_inline(). This vulnerability occurs in versions of the kernel prior to 6.16.0-rc5-01302-gfadd1e6231b1. The issue arises when the function accesses the IPv6 header after a certain operation that can free the header, leading to illegal memory access. The vulnerability can be triggered by running a specific self-test script, lwt_dst_cache_ref_loop.sh, with KASAN (Kernel Address Sanitizer) enabled, which will produce a kernel error message indicating the use-after-free condition.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for potential memory corruption.

Reproduction

The vulnerability can be reproduced by running the lwt_dst_cache_ref_loop.sh self-test script with KASAN enabled. This script will trigger the use-after-free vulnerability in the rpl_do_srh_inline() function, which processes RPL headers and can access freed memory, causing a kernel error.