Linux Kernel PCI/ASPM Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's PCI Express (PCIe) Active State Power Management (ASPM) handling. This issue arises when a multi-function device's function 0 is removed; the kernel retains a pointer to this function's PCI device. If the ASPM policy is then changed, it dereferences the pointer, leading to a use-after-free condition. The vulnerability has been addressed by modifying the ASPM management to disable it and free the associated link state when any child function is removed, thereby preventing the use of a dangling pointer and ensuring consistent ASPM control across all functions of multi-function devices.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing memory corruption that could be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, remove a PCI device's function 0 and then change the ASPM policy to 'powersave'. This sequence will trigger the use-after-free condition, as the removed function's pointer is dereferenced, leading to a KASAN (Kernel Address Sanitizer) warning about a slab memory use-after-free error.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.