Linux Kernel X.25 Double Free Vulnerability in SKB Buffers

A vulnerability in the Linux kernel's X.25 protocol implementation can lead to a double free of socket buffer (SKB) structures. This issue occurs in the 'x25_queue_rx_frame' function when 'alloc_skb' fails. The function then calls 'kfree_skb' to free the buffer and returns an error. This error propagates back through the call chain, ultimately leading to 'x25_backlog_rcv' calling 'kfree_skb' again, freeing the same buffer twice. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to memory corruption by freeing the same SKB buffer multiple times, potentially causing undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by sending a fragmented X.25 frame that exceeds the maximum fragment length. This will cause 'x25_queue_rx_frame' to allocate a new SKB for the fragment, but if the allocation fails, it will free the original SKB and return an error. The error then propagates back through the X.25 state machine, leading to the same SKB being freed again, creating a double free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.