Linux Kernel SCSI LPFC Use-After-Free Vulnerability in Deferred Receive Path

A use-after-free vulnerability has been addressed in the Linux kernel's SCSI LPFC driver. The issue arose from an incorrect buffer release sequence in the deferred receive path, where the receive queue buffer was freed before the context pointer was cleared under a lock. This order could lead to a double-free situation or a use-after-free condition, as concurrent paths like ABTS and the repost path also access and release the same pointer under the lock. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability could be exploited to create a use-after-free condition, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering the deferred receive path in the SCSI LPFC driver, which can be done by sending certain SCSI commands that invoke this path. The incorrect buffer handling will create a use-after-free condition that can be exploited.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading can be found in the official Linux kernel documentation.