Linux Kernel Bonding Driver Use-After-Free Vulnerability in Broadcast Transmission

A use-after-free vulnerability has been identified in the Linux kernel bonding driver, specifically within the 'bond_xmit_broadcast' function. This issue arises because the function reuses the original socket buffer (skb) for the last slave, as determined by a potentially racy check, and clones it for the others. Concurrent modifications to the slave list can disrupt the iteration process, leading to the original skb being double-freed. The vulnerability has been addressed by replacing the unreliable check with a stable index comparison, ensuring the correct handling of the last slave while maintaining performance optimizations.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing memory corruption issues such as double-free errors.

Reproduction

The vulnerability can be reproduced by creating a network bonding interface and concurrently adding and removing slaves while traffic is being transmitted over the bond. This can be done using standard Linux networking commands to manipulate the bonding slaves while simultaneously sending network packets, which will trigger the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.