Linux Kernel Macvlan RCU Grace Period Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's macvlan implementation, specifically in the macvlan_common_newlink() function. This vulnerability arises because the function may expose the @dev variable before an error is properly handled, allowing the caller to free the device prematurely. As a result, the core networking stack or macvlan itself may not respect the required RCU grace period, leading to a use-after-free condition. This issue was reproduced by creating a virtual Ethernet pair, setting up the interfaces, and then adding a macvlan interface linked to one of the peers. A crafted command was used to trigger the error handling path, which, after a short delay, resulted in a ping attempt that exposed the vulnerability.

Impact

Exploitation of this vulnerability causes a use-after-free condition in the macvlan_forward_source() function, as reported by the Kernel Address Sanitizer (KASAN). This type of vulnerability can lead to memory corruption, allowing for arbitrary code execution or causing a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by adding a virtual Ethernet interface pair, configuring one of the interfaces with a specific MAC address, and then creating a macvlan interface linked to the second peer. After introducing an invalid command to trigger an error, a ping is sent through the first interface, which exploits the race condition and causes the use-after-free vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation or through the package manager for your Linux distribution.