CVE-2017-15129: Linux kernel: net: double-free and memory corruption in get_net_ns_by_id()

[Vladis Dronov <vdronov () redhat com>]

Heololo,

A use-after-free vulnerability was found in a network namespaces code affecting the Linux
kernel since  v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check
for the net::count value after it has found a peer network in netns_ids idr which could
lead to double free and memory corruption. This vulnerability could allow an unprivileged
local user to induce kernel memory corruption on the system, leading to a crash. Due to
the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe
it is unlikely.

References:

https://marc.info/?l=linux-netdev&m=151370451121029&w=2

https://marc.info/?t=151370468900001&r=1&w=2 (a whole thread)

https://bugzilla.redhat.com/show_bug.cgi?id=1531174

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21b5944350052d2583e82dd59b19a9ba94a007f0

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer