Linux Kernel Net-Shapers Double Free Vulnerability After Generic Netlink Reply

A vulnerability in the Linux kernel's net-shaper component can lead to a double free of a socket buffer (skb) after a generic netlink reply. This issue arises because the netlmsg_reply function transfers the skb to netlink, which then consumes it. If an error occurs, the skb can be freed, but netlink_unicast still attempts to process it, leading to a double free. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can cause a double free condition, which may lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the net_shaper_nl_get_doit() or net_shaper_nl_cap_get_doit() functions after a generic netlink reply has been sent. The current implementation frees the message buffer on an error, but this can be bypassed by directly returning the reply error, thus avoiding the double free.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.