Linux Kernel cnic Component Use-After-Free Vulnerability in Task Deletion

A use-after-free vulnerability has been identified in the Linux kernel's cnic component, specifically within the task deletion process. This issue arises because the function cnic_cm_stop_bnx2x_hw() uses cancel_delayed_work() to stop a cyclic delayed work item named 'delete_task'. However, this method does not ensure that 'delete_task' has fully completed if it was already in progress. The flush_workqueue() call in the same function only waits for work items queued before its invocation, leaving any subsequently submitted items unaccounted for. As a result, after the cyclic tasks finish, a delayed work item may still be active, leading to a race condition. In this scenario, the cnic_dev structure is freed by cnic_free_dev(), while 'delete_task' remains active and attempts to access the now-deallocated cnic_dev, causing a use-after-free condition. This vulnerability was discovered through static analysis and can be reproduced by simulating the cnic PCI device in QEMU, introducing delays in the 'delete_task' function to increase the likelihood of triggering the race condition.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed memory object is accessed, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by simulating the cnic PCI device in QEMU. Introduce intentional delays in the 'cnic_delete_task()' function, such as adding sleep calls, to increase the chances of triggering the race condition. This delay allows the 'delete_task' to be queued after the flush_workqueue() call, creating a scenario where the task can access a deallocated cnic_dev, thus reproducing the use-after-free vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.