Linux Kernel RDMA Component Multicast GID Table Reference Leak Vulnerability

A reference counting vulnerability has been identified in the Linux kernel's RDMA (Remote Direct Memory Access) component, specifically within the connection manager (CM) for multicast operations. This vulnerability arises when a CM ID is destroyed while an event for creating a multicast group is still pending. The function 'cancel_work_sync()' interferes with the normal processing of this event, preventing the proper cleanup of associated attributes. As a result, a reference count leak occurs, which triggers a warning about a leaked GID (Group Identifier) entry reference. This issue has been documented in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a reference count leak in the GID entry management, which can cause resource management issues and potentially allow for use-after-free conditions.

Reproduction

To reproduce this vulnerability, create a scenario where a CM ID is destroyed while the event for joining a multicast group is still queued. This can be done by initiating the destruction process of the CM ID before the multicast join event has been processed, thereby causing 'cancel_work_sync()' to block the event's execution. As a result, the associated 'ah_attr' (address handle attributes) cannot be properly released, leading to a reference count leak.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.