Linux Kernel Fanout Use-After-Free Vulnerability in Packet Release Function

A use-after-free vulnerability has been identified in the Linux kernel's packet release function. This issue arises from a race condition where the NETDEV_UP event can improperly re-register a socket into a fanout group's array, creating a dangling pointer. The vulnerability exists because the packet release function does not reset a specific counter while holding a lock, allowing a concurrent NETDEV_UP event to interfere with the socket's state. As a result, the socket can be incorrectly added back into the fanout array, leading to potential memory management issues.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, which may lead to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a fanout socket and then triggering the NETDEV_UP event while the socket is still registered. This can be done by manipulating the socket's state to ensure it is in the sklist, and then sending a NETDEV_UP notification, which will re-register the socket into the fanout group's array without proper cleanup.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.