Linux Kernel NBD Defer Config Unlock Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Network Block Device (NBD) implementation. This issue arises in the netlink connection handling, specifically when processing the NBD_CMD_CONNECT and NBD_CLEAR_SOCK commands. The vulnerability occurs due to improper management of reference counts, leading to a use-after-free condition. The problem can be reproduced by introducing a delay before incrementing the reference count, which allows for the premature release of resources.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a reference count is incorrectly managed, allowing for potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by adding a delay before incrementing the 'config_refs' reference count in the 'nbd_genl_connect' function. After processing the NBD_CMD_CONNECT command, introduce a mutex unlock followed by a delay of five seconds before incrementing the reference count. This delay causes the reference count to be incorrectly managed, creating a use-after-free condition.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.