Linux Kernel DSA Switches Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of DSA (Distributed Switch Architecture) switches. This issue arises during the switch probing process, specifically when the 'complete' flag is set to true. In this state, if a subsequent function fails, the DSA tree setup is left incomplete. While the memory allocated for the switch ports is freed, elements in the routing table that still point to these ports remain, leading to a use-after-free condition when dereferenced. This vulnerability can be exploited if the DSA tree setup process encounters a probing failure after the initial switches have been successfully probed.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by probing a DSA switch when the 'complete' flag is set to true. If the probing process for the last switch fails, the memory for its ports is freed, but the routing table elements pointing to these ports remain. This creates a use-after-free condition that can be exploited.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the DSA tree setup process to properly manage the routing table and prevent use-after-free conditions.