Linux Kernel TIPC Subsystem Use-After-Free Vulnerability in Monitor Reinitialization

A use-after-free vulnerability has been identified in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem. The issue arises in the function 'tipc_mon_reinit_self()', which is responsible for reinitializing monitor information. The vulnerability occurs because this function iterates over the 'monitors' array without proper protection from the RTNL (Routing Netlink) lock, leading to a potential use-after-free condition. This issue was reported by syzbot and can be exploited when 'tipc_net_finalize_work()' is called, as this function does not hold the RTNL lock, unlike 'tipc_net_finalize()' which always does.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where memory that has been freed is still accessed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering the 'tipc_net_finalize_work()' function, which processes TIPC network finalization tasks without holding the necessary RTNL lock. This can be done by simulating the conditions under which 'tipc_net_finalize_work()' is called, such as through network device events that unregister TIPC bearers.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version that includes this fix.