Linux Kernel virtio_net Use-After-Free Vulnerability in Network Namespace Handling

A use-after-free vulnerability has been identified in the Linux kernel's virtio_net driver. This issue arises when the driver is set to not use NAPI (an interrupt moderation mechanism) and the IFF_XMIT_DST_RELEASE flag is cleared. Under these conditions, packets can remain in the transmit queue longer than necessary. If the network namespace is deleted while these packets are still pending, the destination operations structure can be freed. This leads to a use-after-free condition when the driver attempts to transmit a new packet, causing a kernel paging request error.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a kernel paging request error, which can potentially be exploited to execute arbitrary code in the kernel context.

Reproduction

To reproduce this vulnerability, first configure a network device to use the virtio_net driver and ensure that NAPI is disabled. Then, clear the IFF_XMIT_DST_RELEASE flag on the device. After setting up a traffic control (tc) route filter that removes this flag, add the network device to a new network namespace. Once the device is in the namespace, send a packet, and then delete the namespace. This sequence will trigger the vulnerability by causing a use-after-free condition when the driver tries to transmit a packet using a freed destination operations structure.

Remediation

The vulnerability has been fixed by modifying the virtio_net driver's transmission function to explicitly drop the reference to the destination before queuing the packet for transmission. Users should apply the latest patches available in the Linux kernel stable tree to address this issue.