Linux Kernel batman-adv Backbone Gateway Reference Management Vulnerability

A vulnerability in the Linux kernel's batman-adv module allows improper management of backbone gateway references. The issue arises because the function batadv_bla_add_claim() can replace a claim's backbone gateway and drop the last reference to the old gateway while other processes are still using it. This can lead to a situation where the netlink claim dump path accesses a dangling pointer, potentially causing a use-after-free error. The problem is exacerbated by batadv_bla_check_claim(), which also accesses pointers without proper validation. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can lead to a use-after-free condition, where a pointer is dereferenced after the memory it points to has been freed. This can cause memory corruption, allowing for arbitrary code execution or other unintended behavior.

Reproduction

The vulnerability can be reproduced by adding a claim in the batman-adv module that includes a backbone gateway. While the claim is active, replace the backbone gateway with a new one. The netlink claim dump will then dereference the old gateway's pointer, which has already been freed, leading to a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.