Linux Kernel Per-CPU Use-After-Free Vulnerability in Nexthop Group Management

A use-after-free vulnerability has been identified in the Linux kernel's nexthop group management. When a nexthop is removed from a group, the function responsible for this operation publishes the new group and then immediately frees the per-CPU statistics of the removed entry. This creates a race condition, as readers can still access the old group and dereference the freed statistics, leading to a use-after-free scenario on per-CPU memory. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a use-after-free condition in per-CPU memory, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, remove a nexthop entry from a group. The 'remove_nh_grp_entry' function will publish the new group and then free the per-CPU statistics of the removed entry. However, the 'synchronize_net' grace period in the caller 'remove_nexthop_from_groups' will run after the free, allowing RCU readers to dereference the freed statistics and cause a use-after-free on per-CPU memory.

Remediation

The vulnerability has been fixed by modifying the order of operations in the 'remove_nh_grp_entry' function. The per-CPU statistics are now freed after the 'synchronize_net' grace period, ensuring that all RCU readers have finished before the memory is released.