Linux Kernel xfrm NAT Keepalive Work Rescheduling Vulnerability

A race condition vulnerability has been identified in the Linux kernel's handling of NAT keepalive work within the xfrm subsystem. This issue arises during the network cleanup process, where the delayed work for NAT keepalives can be improperly re-scheduled after being cancelled, potentially leading to use-after-free scenarios. The vulnerability is present in the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where freed memory is accessed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initiating a network cleanup process that involves cancelling the delayed work for NAT keepalives. This can be done by calling 'xfrm_nat_keepalive_net_fini()', which cancels the delayed work but is followed by 'xfrm_state_fini()' that flushes remaining states. This flush process can inadvertently re-schedule the NAT keepalive work, creating a race condition.

Remediation

The vulnerability has been addressed by replacing 'cancel_delayed_work_sync()' with 'disable_delayed_work_sync()' in the 'xfrm_nat_keepalive_net_fini()' function.