Linux Kernel qla2xxx SCSI Driver Use-After-Free Vulnerability in Async Command Handling

A use-after-free vulnerability has been identified in the Linux kernel's qla2xxx SCSI driver. This issue arises because the timeout handler and the completion function are racing with each other. When the timeout handler is invoked, it can be interrupted by the normal response path, leading to a situation where the completion function releases a pointer to a freed resource. This can cause a kernel NULL pointer dereference, creating a potential exploitation vector. The vulnerability is present in the qla2xxx SCSI driver for certain Fibre Channel host bus adapters, specifically in the asynchronous command handling process.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a kernel NULL pointer dereference. This type of memory management error can often be exploited to execute arbitrary code in the kernel context, potentially leading to a complete system compromise.

Reproduction

The vulnerability can be reproduced by triggering an asynchronous command in the qla2xxx SCSI driver while simultaneously invoking a timeout condition. This can be done by sending a command that takes longer to process, allowing the timeout handler to preempt the normal response path. The race condition created by this interruption can be observed in the driver's asynchronous event handling, where the completion function improperly accesses a resource that has already been freed.

Remediation

The vulnerability has been addressed by introducing a reference counter to properly manage the lifecycle of the resources involved. This fix is available in the mainline Linux kernel.