Linux Kernel TCP Fast Open Request Handling Vulnerability

A vulnerability in the Linux kernel's TCP implementation has been identified, specifically in how Fast Open (TFO) requests are handled. When a listener socket is closed while a TFO socket is being processed, it can lead to a reference count underflow and a use-after-free condition. This occurs because the request socket's reference count is not properly managed, allowing for a double-free scenario. The issue has been addressed by modifying the TCP connection request handling to ensure that TFO sockets are correctly processed without causing memory management errors.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where memory that is still in use is improperly released. This can cause a reference count underflow, allowing for potential memory corruption or exploitation.

Reproduction

The vulnerability can be reproduced by closing a listener socket while a TCP Fast Open socket is being processed in the 'tcp_conn_request' function. This creates a situation where the request socket's reference count is not properly updated, leading to a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.