Linux Kernel Arena VMA Use-After-Free Vulnerability on Fork

A use-after-free vulnerability has been identified in the Linux kernel's BPF arena management, specifically within the VMA (Virtual Memory Area) handling. This issue arises because the child VMA created during a fork operation is not properly registered, leading to a dangling pointer after the parent VMA is unmapped. If the child process then attempts to free arena pages, it can trigger a use-after-free condition by accessing the stale VMA pointer. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by forking a process that has a BPF arena VMA. The child process will inherit a pointer to the parent VMA, which becomes invalid once the parent VMA is unmapped. If the child then calls 'bpf_arena_free_pages()', the system will attempt to access the now-invalid VMA pointer, causing a use-after-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.