Linux Kernel Bonding Driver Use-After-Free Vulnerability in 802.3ad Aggregation

A use-after-free vulnerability has been identified in the Linux kernel's bonding driver, specifically within the 802.3ad aggregation handling. This issue arises when the 'bond_3ad_unbind_slave' function is called, as it can inadvertently access freed memory related to aggregation groups. The vulnerability occurs after a slave is unbound, leaving pointers to deallocated memory, which can lead to undefined behavior or exploitation.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where the system reads from memory that has already been freed, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating multiple aggregation groups within the same bond interface. When a slave is unbound from the bond, the 'bond_3ad_unbind_slave' function clears the aggregator but does not update the slave ports list, leaving pointers to freed memory. This can be observed in the KASAN (Kernel Address Sanitizer) logs, which report the use-after-free error.