Linux Kernel Net/Mlx5e Post Action Attribute Cloning Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's networking component for Mellanox devices (mlx5e). This issue arises from an incorrect handling of flow post action attributes, where the attributes are unnecessarily cloned a second time. The original clone is already managed properly, and the redundant cloning not only wastes resources but also creates synchronization issues. These issues manifest in the neighbor update process, ultimately causing a use-after-free error. The vulnerability is present in the stable versions of the Linux kernel.

Impact

The vulnerability leads to a use-after-free condition, where memory that has been freed is accessed again, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by adding a post action rule in the mlx5e networking component. The process involves creating a flow attribute, which is then incorrectly cloned before being added to the flow table. This second clone is the source of the vulnerability, as it is not properly updated in the neighbor management code, leading to the use-after-free error.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.