Linux Kernel Uncached Route List Management Race Condition Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of uncached route lists for IPv4 and IPv6. This issue arises in the 'rt6_uncached_list_del()' and 'rt_del_uncached_list()' functions, where the kernel can be crashed by improperly managing the list head of route entries. The vulnerability occurs because the 'rt6_uncached_list_del()' function fails to acquire the necessary lock before modifying the list, leading to a race condition. When a route entry is deleted from the list, the corresponding memory can be freed while still being accessed, causing a crash. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a kernel crash, causing a denial of service by disrupting normal system operations and potentially leaving the system in an unstable state.

Reproduction

The vulnerability can be reproduced by manipulating the uncached route lists for IPv4 or IPv6. This can be done by adding and removing route entries in a way that creates a race condition, such as by using multiple threads or processes to concurrently modify the list. The 'syzkaller' tool, a fuzzer for the Linux kernel, has been reported to successfully trigger this vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.