Linux Kernel IPVS FTP Unregister Deferment Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's IP Virtual Server (IPVS) FTP module. During network namespace cleanup, the module's exit function may unregister FTP handling before all connections are properly flushed, particularly those with valid application pointers. This flaw can be exploited to access freed memory, potentially leading to arbitrary code execution or other memory corruption issues. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can be exploited to create a use-after-free condition, allowing for memory access errors that could be exploited to execute arbitrary code or cause other memory corruption problems.

Reproduction

To reproduce this vulnerability, load the IPVS FTP module and establish connections that utilize valid application pointers. Then, initiate a network namespace cleanup before the connections are fully flushed. This sequence will trigger the use-after-free condition by forcing the module to unregister while the connections are still active.

Remediation

The vulnerability has been addressed by introducing a global 'exiting_module' flag. This flag is set to true in the module's exit function before unregistering the per-network namespace subsystem. The unregistration process is now deferred until all connections are flushed, preventing the use-after-free condition.