Linux Kernel SMC Double-Free Vulnerability Leading to Use-After-Free and Kernel Panic

A double-free vulnerability has been identified in the Linux kernel's SMC (Socket Memory Copy) implementation, specifically within the splice buffer handling. The issue arises when the 'tee()' system call duplicates pipe buffer references, leading to both the original and cloned buffers sharing the same private SMC data pointer. This mismanagement causes the SMC private data to be freed twice when the pipes are closed, first correctly and then again, resulting in a use-after-free condition. This flaw has been reported by KASAN (Kernel Address Sanitizer) and causes a null pointer dereference, triggering a kernel panic. Beyond the memory safety issue, the vulnerability also disrupts the SMC receive-window accounting by advancing the consumer cursor twice for the same data, which could lead to further data handling errors.

Impact

Exploitation of this vulnerability causes a use-after-free condition in the SMC splice buffer release function, which can be exploited to dereference a null pointer, leading to a kernel panic. This exploitation disrupts normal kernel operations and can cause a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by using the 'tee()' system call to duplicate pipe buffers that are being used with SMC sockets. This can be done by first creating a pair of pipes and an SMC socket, then using 'splice()' to transfer data between the pipes while 'tee()' duplicates the pipe buffers. The SMC receive buffer operations will then be incorrectly managed, leading to the double-free condition when the pipes are closed.

Remediation

Users who need to duplicate SMC socket data must use a copy-based read path instead of relying on the 'tee()' and 'splice()' functions, which can cause the double-free vulnerability.