Linux Kernel IPTFS State Management Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's IP Transport File System (IPTFS) handling within the xfrm module can lead to a use-after-free condition. The issue arises when the IPTFS clone state function stores a pointer to the mode data before successfully allocating a necessary reorder window. If the allocation fails, the function frees the cloned state but leaves the mode data pointer referencing freed memory. Subsequently, the clone unwind process attempts to destroy the state using the invalid pointer, causing a double-free scenario. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability creates a use-after-free condition, where a pointer references freed memory, potentially leading to arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, clone an IPTFS state in a scenario where the reorder window allocation fails. The mode data pointer will then reference freed memory, which can be accessed later, causing a use-after-free condition.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version.