Linux Kernel OcteonTX2-PF Component Use-After-Free Vulnerability in PTP Synchronization

A use-after-free vulnerability has been identified in the Linux kernel's OcteonTX2-PF component, specifically within the PTP (Precision Time Protocol) synchronization functionality. This issue arises because the otx2_ptp_destroy() function cancels a delayed work item without ensuring that it has fully completed, leading to a race condition. As a result, the PTP structure can be deallocated while the work item is still active, causing it to dereference a freed memory location. The vulnerability has been confirmed by a KASAN (Kernel Address Sanitizer) report indicating a slab-use-after-free error.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed memory area is accessed, potentially allowing for arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by simulating the OcteonTX2 PCI device in QEMU. Introduce artificial delays in the otx2_sync_tstamp() function to increase the chances of triggering the race condition. During this delay, the otx2_ptp_destroy() function can be called, leading to the use-after-free scenario.

Remediation

The vulnerability has been fixed by replacing cancel_delayed_work() with cancel_delayed_work_sync() in the otx2_ptp_destroy() function. This change ensures that the delayed work item is properly canceled before the PTP structure is deallocated.