Linux Kernel PCI Endpoint Configfs Group List Head Handling Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's PCI endpoint management. The issue arises in the 'pci_epf_remove_cfs' function, where a 'list_del' operation is incorrectly applied to the 'epf_group' field of the 'pci_epf_driver' structure. This field is a list head, not a list entry. The erroneous 'list_del' call generates a Kernel Address Sanitizer (KASAN) warning when an endpoint function driver with a configfs attribute group is removed. The warning indicates a slab-use-after-free error, as the improper list handling frees memory that is still in use, potentially leading to memory corruption or exploitation.

Impact

The vulnerability causes a use-after-free condition, which can lead to memory corruption. Such conditions are often exploitable, allowing for arbitrary code execution or causing a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, load a PCI endpoint function driver that includes a configfs attribute group. Once the driver is active, remove it using the 'rmmod' command. This process will trigger the KASAN warning, indicating the use-after-free condition caused by the incorrect list handling in the 'pci_epf_remove_cfs' function.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.