CVE-2023-4387: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-4387 is a use-after-free vulnerability discovered in the vmxnet3_rq_alloc_rx_buf function within VMware's vmxnet3 ethernet NIC driver in the Linux Kernel (drivers/net/vmxnet3/vmxnet3_drv.c). The vulnerability was disclosed on August 16, 2023, affecting Linux kernel versions up to 5.18 (NVD, CVE).

The vulnerability occurs in the vmxnet3_rq_alloc_rx_buf function when dma_map_single() fails, causing rbi->skb to be freed immediately. Similarly, when dma_map_page() fails, rbi->page is also freed. In both cases, the function returns an error to its callers through the chain vmxnet3_rq_init() -> vmxnet3_rq_init_all() -> vmxnet3_activate_dev(). The issue arises when vmxnet3_activate_dev() calls vmxnet3_rq_cleanup_all() in error handling code, resulting in rbi->skb or rbi->page being freed again, leading to use-after-free bugs. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (Red Hat).

This vulnerability could allow a local attacker to crash the system through a double-free condition while cleaning up vmxnet3_rq_cleanup_all. Additionally, it could lead to kernel information leakage problems (Debian, Red Hat).

The issue has been fixed in Linux kernel version 5.18 through a patch that clears rbi->skb and rbi->page after they are freed. The fix was implemented in commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 (GitHub). Various Linux distributions have also released patches for their respective versions.