Linux Kernel PPP Race Condition Vulnerability in Forward Path Handling

A race condition vulnerability has been identified in the Linux kernel's PPP (Point-to-Point Protocol) implementation, specifically within the `ppp_fill_forward_path` function. This vulnerability arises from two main issues: First, the `ppp->channels` list can be modified between the checks for emptiness and the retrieval of the first entry, as the necessary lock is not applied. This can lead to a situation where a deleted channel is accessed, causing a system panic. Second, the channel pointer `pch->chan` can be NULL when a channel is unregistered, creating the potential for dereferencing a null pointer. These issues have been addressed by implementing a lockless RCU (Read-Copy-Update) approach, which safely manages concurrent modifications and access to the channel list.

Impact

Exploitation of this vulnerability can lead to a system panic, causing a denial of service by crashing the system or application that is handling PPP connections.

Reproduction

The vulnerability can be reproduced by creating a PPP connection and then rapidly disconnecting a channel while the `ppp_fill_forward_path` function is processing. This race condition can be triggered by manipulating the timing of channel disconnections, such as by using multiple threads or asynchronous operations that interfere with the normal sequential processing of PPP channels.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.