Linux Kernel SCSI LPFC Driver Use-After-Free Vulnerability During Firmware Update

A use-after-free vulnerability has been identified in the Linux kernel's SCSI LPFC driver, specifically during the firmware update process via sysfs. This issue arises when the driver accesses a pointer to a mailbox object that has already been released back to the mailbox pool, leading to a use-after-free read warning. The vulnerability was logged by the KFENCE memory debugger, indicating that the driver read freed memory, which could potentially be exploited.

Impact

Exploitation of this vulnerability could lead to memory corruption issues, where freed memory is accessed and potentially manipulated, causing undefined behavior in the driver or the kernel.

Reproduction

The vulnerability can be reproduced by writing firmware to a device using the LPFC driver through the sysfs interface. This process will trigger the lpfc_wr_object() function, which will log a use-after-free read warning if the vulnerability is present.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is 21681b81b9ae548c5dae7ae00d931197a27f480c.