Linux Kernel Use-After-Free Vulnerability in ATM LEC Module

A use-after-free vulnerability has been identified in the Linux kernel's ATM LEC module. This issue arises from a race condition between the 'lec_atm_close()' function, which sets a pointer to NULL without proper synchronization, and concurrent functions that access this pointer. When the socket is freed while another thread is still using it, a use-after-free condition occurs, leading to potential exploitation. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for potential memory corruption or execution of arbitrary code.

Reproduction

The vulnerability can be reproduced by creating a scenario where 'lec_atm_close()' is called, setting 'priv->lecd' to NULL', while another thread concurrently accesses 'priv->lecd'. This can be achieved by sending messages through the ATM VCC while the socket is being closed, causing 'sock_def_readable()' to access the wait queue of a freed socket.

Remediation

The vulnerability has been fixed by converting 'priv->lecd' to an RCU-protected pointer, ensuring safe concurrent access. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.