Linux Kernel Bonding Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel bonding driver. This issue arises when a new slave interface is added to the slave array but fails to be properly managed during the enslavement process. The vulnerability allows the newly added slave, which can be immediately used for transmission, to be accessed after its memory has been freed due to an enslavement error. The problem can be easily reproduced by adding a dummy interface to a bonded interface and then rapidly reassigning the dummy interface to the bonded one, while simultaneously sending TCP packets. This process triggers a general protection fault, indicating a wild memory access, which is characteristic of use-after-free vulnerabilities.

Impact

Exploitation of this vulnerability leads to a general protection fault, causing a crash of the affected system. The fault is likely related to a non-canonical address, suggesting a serious memory management issue that could be exploited to execute arbitrary code or cause other types of damage.

Reproduction

To reproduce this vulnerability, first add a bond interface named 'bond1' and set it to 'up'. Then, attach an XDP program to 'bond1' and add a dummy interface named 'dumdum'. While the dummy interface is being rapidly reassigned to 'bond1', send TCP packets through 'bond1'. This sequence of actions will cause the system to crash almost immediately, due to the use-after-free vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.