Linux Kernel SCSI BFA Double-Free Vulnerability

A double-free vulnerability has been identified in the Linux kernel's SCSI BFA driver. This issue arises in the bfad_im_probe() function, where the memory referenced by bfad->im is freed without resetting bfad->im to NULL. During the driver uninstallation process, the state machine transitions to bfad_sm_stopping and invokes the bfad_im_probe_undo() function, which attempts to free the memory pointed to by bfad->im again. This sequence triggers the double-free vulnerability. The problem can be reproduced by causing the bfad_im_probe() function to fail during initialization, which leads to the improper memory management.

Impact

Exploitation of this vulnerability causes a double-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution or a denial-of-service scenario.

Reproduction

To reproduce this vulnerability, load the SCSI BFA driver and induce a failure in the bfad_im_probe() function during initialization. This can be done by manipulating the driver's workload or environment to cause the probing process to fail. Once the driver is uninstalled, the state machine will enter the bfad_sm_stopping state and call the bfad_im_probe_undo() function, which will attempt to free the memory pointed to by bfad->im. Since the memory was already freed without resetting the pointer, this will result in a double-free vulnerability.

Remediation

The vulnerability has been addressed by modifying the bfad_im_probe() function to set bfad->im to NULL if the probing process fails. Users should ensure they are running a version of the Linux kernel that includes this fix.