Linux Kernel RCU Synchronization Vulnerability in XFRM Policy Management

A vulnerability in the Linux kernel's handling of XFRM policy management can lead to a use-after-free issue. During the exit of a network namespace, the function responsible for finalizing XFRM policies frees the policy_bydst hash tables without waiting for ongoing RCU (Read-Copy-Update) readers to finish their critical sections. This can cause the memory of the hash tables, which are managed through RCU, to be freed while still in use, leading to potential instability or crashes. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause a use-after-free condition, where memory is freed while still being accessed, potentially leading to arbitrary code execution or a system crash.

Reproduction

To reproduce this vulnerability, create a scenario where XFRM policies are actively being read while simultaneously flushing and deleting those policies in a network namespace. This can be done by initiating RCU read-side operations on the policy_bydst tables, then triggering the policy cleanup process, which will attempt to free the table memory without ensuring that all read operations have completed.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree by adding a call to synchronize_rcu() before freeing the policy hash tables, ensuring that all RCU readers have exited their critical sections. Users should upgrade to the latest version of the Linux kernel stable tree where this fix is applied.