Linux Kernel Netfilter BPF Use-After-Free Vulnerability in Hook Management

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within the BPF (Berkeley Packet Filter) link management for netfilter programs. This vulnerability occurs when a process concurrently dumps hooks via nfnetlink, leading to a memory management issue. The problem arises because the release of hook memory is not properly synchronized, allowing for a slab-use-after-free condition. This was reported by Yiming Qian and can be traced back to a lack of deferred memory management until all read operations are complete.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a memory corruption issue that can be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, a process must be initiated that concurrently dumps netfilter hooks via nfnetlink. This can be done by triggering a netlink dump while BPF links are active, which will cause the memory management flaw to surface as a use-after-free error. The kernel's KASAN (Kernel Address Sanitizer) will report the slab-use-after-free issue, indicating that the vulnerability has been successfully reproduced.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.