Linux Kernel IPMI Subsystem Use-After-Free Vulnerability in User Destruction Function

A use-after-free vulnerability has been identified in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem. This issue arises in the '_ipmi_destroy_user()' function, where the 'intf_free()' function deallocates the 'intf' pointer. Consequently, the pointer cannot be safely referenced on the following line, leading to potential memory corruption or exploitation.

Impact

Exploitation of this vulnerability could result in memory corruption, which may be leveraged to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating an IPMI user and then destroying that user while the IPMI interface is still in use. This can be done by manually managing IPMI user references and interfaces, ensuring that the 'intf' pointer is freed before it is dereferenced, which replicates the conditions that lead to the use-after-free error.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The official Linux kernel Git repository contains the necessary patches.