Linux Kernel KCM Module Race Condition Vulnerability in Unattachment Process

A race condition vulnerability has been identified in the Linux kernel's KCM (Kernel Connection Multiplexor) module. This issue arises when the 'kcm_unattach' and 'kcm_release' functions are executed simultaneously. The 'kcm_unattach' function does not properly check the 'tx_stopped' flag before queuing work, which can lead to a situation where 'kcm_unattach' is called between the 'cancel_work_sync' and 'unreserve_psock' operations in 'kcm_release'. As a result, 'kcm->tx_work' can be requeued just before the KCM socket is freed, causing a potential use-after-free scenario.

Impact

Exploitation of this vulnerability can lead to a race condition, causing a use-after-free error in the KCM module, which could be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, reserve a KCM socket and then simultaneously call 'kcm_unattach' and 'kcm_release' functions. The 'kcm_unattach' function will execute without checking the 'tx_stopped' flag, leading to a race condition where 'kcm->tx_work' is requeued just before the KCM socket is freed.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.