Linux Kernel Use-After-Free Vulnerability in mpt3sas SCSI Driver

A use-after-free vulnerability has been identified in the Linux kernel's mpt3sas SCSI driver. The issue arises in the function '_scsih_expander_node_remove()', which is called by 'mpt3sas_transport_port_remove()'. This sequence frees the port field of the 'sas_expander' structure, leading to a use-after-free error detected by the Kernel Address Sanitizer (KASAN). The vulnerability can be triggered when the driver module is removed, causing a read of a freed memory address.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly result in memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading the mpt3sas driver module, which manages SCSI devices connected through SAS (Serial Attached SCSI) expanders. After the module is loaded and the driver is actively managing devices, the module can be removed using the 'rmmod' command. This process triggers the vulnerability, as the removal sequence improperly handles the memory of the SAS expander structure, creating a use-after-free scenario.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed. Consult the Linux kernel changelog or your distribution's update notes for details on the patched version.