Linux Kernel PowerPC pSeries Use-After-Free Vulnerability in Dynamic PHB Removal

A use-after-free vulnerability has been identified in the Linux kernel's PowerPC pSeries architecture, specifically within the 'remove_phb_dynamic()' function. The issue arises when the function accesses the 'io_resource' of a host bridge after it has been unregistered, potentially leading to a crash. This vulnerability can be triggered under certain conditions, particularly when 'slub_debug' and 'page_poison' are enabled, causing the kernel to crash instead of silently failing. The vulnerability has been addressed by modifying the reference management of the host bridge to prevent the use-after-free condition.

Impact

Exploitation of this vulnerability can lead to a kernel crash, causing a denial of service condition on the affected system.

Reproduction

The vulnerability can be reproduced by removing a slot from a dynamic PHB (PCI Host Bridge) on a PowerPC pSeries system with 'slub_debug' and 'page_poison' enabled. This can be done through the 'drmgr' command, which triggers the 'remove_phb_dynamic()' function. The timing of the slot removal can be managed to create a use-after-free scenario, where the PHB is accessed after it has been freed, leading to a crash.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux kernel documentation.