Linux Kernel NULL Pointer Dereference and Use-After-Free Vulnerability in SMC TCP Handling

A vulnerability in the Linux kernel's handling of Socket Memory Copy (SMC) over TCP has been identified, leading to a NULL pointer dereference and a use-after-free condition. This issue arises in the 'smc_tcp_syn_recv_sock()' function, which is part of the TCP receive process. The vulnerability occurs when the SMC listening socket is closed while 'smc_tcp_syn_recv_sock()' is processing a TCP connection request. The 'smc_close_active()' function nullifies the 'sk_user_data' field, which is then accessed by 'smc_tcp_syn_recv_sock()' to retrieve the 'smc_sock' pointer. This concurrent modification creates a race condition, causing two problems: first, a NULL pointer dereference occurs when the 'sk_user_data' is accessed; second, a use-after-free condition is triggered when 'sk_user_data' is read as non-NULL, but the 'smc_sock' has already been freed, leading to a crash when its fields are accessed.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, which can lead to a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by injecting a delay into the 'smc_tcp_syn_recv_sock()' function while it is processing a TCP connection request. This can be done using the 'mdelay' command in conjunction with the 'smc_run' tool, which simulates SMC connection requests. The injected delay creates a race condition that triggers the NULL pointer dereference and use-after-free errors, causing a kernel panic.

Remediation

The vulnerability has been fixed in the Linux kernel by modifying the 'smc_tcp_syn_recv_sock()' function to use Read-Copy Update (RCU) mechanisms for safely accessing the 'smc_sock' pointer. The patch ensures that the 'smc_sock' is not freed before it is no longer needed, eliminating the race condition. Instructions for applying the patch can be found in the Linux kernel Git repository.