Linux Kernel Macvlan Source Mode Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's macvlan implementation. This issue arises when a macvlan link is created with the source mode and specific MAC address parameters, but the lower device already has a macvlan port. The problem occurs because the netdevice registration fails, leading to a reference to a freed net_device structure. As a result, packets sent on the macvlan port with a matching source MAC address can trigger a use-after-free condition, causing a kernel crash.

Impact

Exploitation of this vulnerability leads to a use-after-free condition in the kernel, which can be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a virtual Ethernet (veth) pair and setting up the interfaces. Then, add a macvlan interface on one end of the veth pair with the source mode and a MAC address that is already in use. Finally, attempt to send a ping from the other veth interface to trigger the use-after-free condition.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation.