SOCK_RAW sockets reachable from Webkit process allows triggering double free in IP6_EXTHDR_CHECK

## Summary Memory corruption can be achieved by sending fragmented IPv6 packets to loopback interface due to poor and inconsistent use of `IP6_EXTHDR_CHECK`. The macro `IP6_EXTHDR_CHECK` can free the mbuf if the packet is sent to loopback interface. This fact is not considered in `dest6_input()`, `frag6_input()` and more. For example in `dest6_input()`, the double pointer is not updated: ``` int dest6_input(struct mbuf **mp, int *offp, int proto) { struct mbuf *m = *mp; ... IP6_EXTHDR_CHECK(m, off, sizeof(*dstopts), return IPPROTO_DONE); ... *offp = off; return dstopts->ip6d_nxt; } ``` Hence, when parsing next headers, the mbuf can be free'd once again, leading to a double free which behaves like a use-after-free when we allocate mbuf's again. Normally, this path would not be triggerable, because sending to loopback interface requires SOCK_RAW root privileges. **However, for some reason on the PS4 SOCK_RAW sockets can be opened in Webkit process!** Attached is `poc.c` which must run with root privileges on a FreeBSD 9 machine. It demonstrates being able to escalate privileges to kernel. Attached is also `ps4.c` which is slightly adjusted to work on the PS4 (you'd need to add includes etc to be able to compile it with your official sdk, I compiled it with a custom framework). The reliability of `poc.c` is very high, around 80%, whereas`ps4.c` is not very high, I guess around 20%. ## Impact - In conjunction with a WebKit exploit, a fully chained remote attack can be achieved. - It is possible to steal/manipulate user data. - Dump and run pirated games.