Linux Kernel SCTP GSO Packet Handling Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's handling of SCTP (Stream Control Transmission Protocol) GSO (Generic Segmentation Offload) packets has been identified. When GSO packets are cloned, the cloned packet still shares fragment SKBs (socket buffers) with the original packet, creating a risk of accessing uninitialized memory. This issue was reported by syzbot and can lead to use-after-free vulnerabilities.

Impact

Exploitation of this vulnerability causes use-of-uninitialized-memory bugs, which can lead to undefined behavior, including potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending GSO packets over SCTP. The cloning process of these packets will trigger the issue, as the cloned packets will share fragment SKBs with the original ones, creating a race condition that can be exploited.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading can be found in the official Linux kernel documentation.