Linux Kernel NVMe over TCP Slab Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's NVMe over TCP implementation. This issue arises in the admin queue configuration process, specifically within the 'nvme_tcp_setup_ctrl()' function. The vulnerability is triggered when the second call to 'nvme_tcp_configure_admin_queue()' fails, leaving the admin tag set in an inconsistent state. This failure occurs after the first call successfully allocates the tag set, leading to a situation where the 'nvme_tcp_ctrl' structure is freed while still being referenced, causing a use-after-free error. The vulnerability can be reproduced by running the blktests test case 'nvme/063' multiple times.

Impact

Exploitation of this vulnerability causes a slab-use-after-free error, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by executing the blktests test case 'nvme/063' several times. This test case triggers the admin queue configuration process in a way that exposes the use-after-free flaw.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.