Linux Kernel SCSI Libsas Use-After-Free Vulnerability in SMP Task Execution

A use-after-free vulnerability has been identified in the Linux kernel's SCSI libsas module, specifically within the SMP task execution function. This issue arises when the function smp_execute_task_sg() attempts to delete a timer associated with a task that has already been freed. If the timer's handler is still running, the deletion process can create a race condition, leading to the use of a dangling pointer.

Impact

Exploitation of this vulnerability can result in a use-after-free condition, which may be leveraged to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by executing an SMP task that fails, which triggers the smp_execute_task_sg() function to call del_timer() on the task's timer. If the timer handler sas_task_internal_timedout() is concurrently running, it will not be stopped, allowing the timer to reference a freed task, thus creating a use-after-free scenario.

Remediation

The vulnerability has been addressed by modifying the smp_execute_task_sg() function to use del_timer_sync() instead of del_timer(). This change ensures that the timer handler has completed before the associated task is deallocated, preventing the use-after-free condition.