Linux Kernel BPF Sockmap Use-After-Free Vulnerability in AF_UNIX Sockets

A use-after-free vulnerability has been identified in the Linux kernel's handling of AF_UNIX sockets within the BPF sockmap. This issue arises in the 'sk_psock_verdict_data_ready' function, where the socket's 'sk_socket' field is accessed after the corresponding socket has been orphaned and potentially freed. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly result in memory corruption and the potential execution of arbitrary code.

Reproduction

The vulnerability can be reproduced by sending messages over a Unix domain socket pair. The 'sk_data_ready' callback of the receiving socket is invoked after releasing the socket's state lock, allowing the socket to be orphaned and its 'sk_socket' reference to be freed. This sequence creates a window where the 'sk_socket' can be accessed after it has been freed, triggering the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the patched version are available on the official Linux kernel website.