Linux Kernel NFC LLCP Socket State Handling Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's NFC LLCP (Logical Link Control Protocol) implementation. This issue arises in the functions 'nfc_llcp_recv_hdlc()' and 'nfc_llcp_recv_disc()'. When the socket state is 'LLCP_CLOSED', the code correctly releases the socket but fails to return, causing execution to fall through. This oversight leads to a double release of the socket, creating a reference count underflow and a use-after-free condition. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the NFC LLCP reception functions 'nfc_llcp_recv_hdlc()' or 'nfc_llcp_recv_disc()' with the socket state set to 'LLCP_CLOSED'. This will trigger the double release of the socket, causing the use-after-free condition.

Remediation

The vulnerability has been addressed by adding the missing return statements after the 'LLCP_CLOSED' checks in both affected functions. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this vulnerability.