Linux Kernel Use-After-Free Vulnerability in Mellanox MLX5 PTP Queue

A use-after-free vulnerability has been identified in the Linux kernel's handling of Precision Time Protocol (PTP) queues for Mellanox MLX5 devices. This issue arises because the FIFO queue indexes are not properly validated during pop operations, leading to potential memory management errors when popping from an empty queue. Such a scenario can occur during the re-synchronization process, where out-of-order completion queue events have been observed, draining the queue and causing use-after-free conditions. The vulnerability has been addressed by adding checks and counters to prevent re-sync operations if the socket buffer (SKB) cannot be accounted for in the FIFO due to out-of-order events.

Impact

Exploitation of this vulnerability can lead to use-after-free conditions, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by initiating a PTP re-sync operation on a Mellanox MLX5 device. During this process, the lack of proper FIFO index checks can be exploited, leading to popping from an empty queue and causing a use-after-free condition. This issue is particularly relevant when out-of-order completion queue events are present, as they can drain the queue and create the vulnerability scenario.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.