Linux Kernel SMC Loopback DMB Buffer Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's SMC (Socket Memory Control) loopback implementation. The issue arises in the 'smc_lo_register_dmb' function, where DMB (Data Memory Buffer) buffers are allocated using 'kzalloc'. These buffers are later passed to 'get_page' in the 'smc_rx_splice' function. Since memory allocated with 'kmalloc' is not backed by a page, this triggers a warning in 'get_page' and prevents the proper reference counting of the buffer. If the memory is released before the 'splice_to_pipe' operation is finished, it can lead to a use-after-free condition.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, potentially leading to memory corruption.

Reproduction

The vulnerability can be reproduced by registering a DMB buffer in the SMC loopback implementation using the 'smc_lo_register_dmb' function. The buffer is allocated with 'kzalloc' and then passed to 'get_page' in the 'smc_rx_splice' function'. This process can be automated with a script that mimics the behavior of an SMC application, registering DMB buffers and triggering the 'smc_rx_splice' function before the buffers are properly managed, creating a use-after-free scenario.

Remediation

The vulnerability has been addressed by modifying the buffer allocation to use 'folio_alloc', ensuring that DMBs are page-backed and safe for use with 'get_page'. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.