Linux Kernel Uninitialized Memory Vulnerability in XFRM State Management

A use-after-free vulnerability has been introduced in the Linux kernel's XFRM (IPsec) state management. This issue arises because the function 'xfrm_alloc_spi' incorrectly uses 0 as a valid Security Parameter Index (SPI) value. In the context of XFRM, an SPI of 0 indicates 'no SPI assigned'. However, due to a previous commit that changed how SPIs are handled, states are now erroneously created and added to the 'bys' list with this value. The 'xfrm_state_delete' function fails to remove these incorrect entries, leading to a use-after-free condition when the 'bys' list is processed again.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating an XFRM state and assigning it an SPI of 0, then failing to properly delete this state from the 'bys' list. This can be done by manipulating the XFRM state allocation process to use an SPI of 0, which will not be removed in subsequent deletions, creating a use-after-free scenario.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.