Linux Kernel batman-adv Use-After-Free Vulnerability in Backbone Claim Deletion

A use-after-free vulnerability has been addressed in the Linux kernel's batman-adv module. The issue arises in the 'bridge_loop_avoidance' component when the function 'batadv_bla_del_backbone_claims()' removes claims for a backbone. The vulnerability occurs because the function deletes the link entry from the hash list, which is a reference that needs to be released. If the reference is dropped before the last access to the claim object, the claim can be prematurely freed, leading to a use-after-free condition.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the 'batadv_bla_del_backbone_claims()' function in a scenario where it removes all claims for a backbone. This process involves dropping the link entry in the hash list, which must be done carefully to avoid releasing the claim object too early. The timing of the 'batadv_claim_put()' function is crucial; it should not be executed before the last access to the claim object, as this can cause the claim to be freed before the list entry is removed, creating a use-after-free vulnerability.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.