Linux Kernel GRE Net Device Use-After-Free Vulnerability in mlxsw Spectrum Router

A use-after-free vulnerability has been identified in the Linux kernel's mlxsw spectrum router component, specifically when deleting GRE net devices. The issue arises because the driver offloads neighbors only from netdevices it registers or their upper Ethernet netdevices. While the driver supports GRE encapsulation and decapsulation, it does not offload dummy neighbors on GRE net devices. When the driver is reloaded, it fails to properly manage these neighbors, leading to a use-after-free condition when the GRE net device is deleted.

Impact

Exploitation of this vulnerability causes a use-after-free condition, allowing for potential memory corruption.

Reproduction

The vulnerability can be reproduced by creating a GRE net device and adding a neighbor entry on it. The driver will not offload this neighbor because GRE is not an upper net device. After reloading the driver, the previously added neighbor will be offloaded. If this neighbor is then deleted, the driver will ignore the deletion notification, leading to a use-after-free condition when the GRE net device is removed.

Remediation

The vulnerability has been addressed by modifying the driver to skip offloading neighbors for net devices that are not its upper.