Linux Kernel Use-After-Free Vulnerability in SMC Pnet Resource Functions

A use-after-free vulnerability has been identified in the Linux kernel's handling of network devices within the Socket Memory Control (SMC) protocol. This issue arises in the function '__pnet_find_base_ndev()', which is called during the connection process. The vulnerability occurs because the function 'smc_pnet_find_ism_resource()' retrieves the network device associated with a socket's destination entry and passes it to 'pnet_find_base_ndev()' while holding the Real-Time Networking Layer (RTNL) lock. However, the network device may have already been freed before the RTNL lock is acquired, leading to a use-after-free condition. This vulnerability can be exploited when the destination entry's device reference is released, allowing a swapped-in blackhole device to be accessed incorrectly.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a freed memory address is accessed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by establishing a connection using the SMC protocol while the destination entry's device reference is improperly managed. This can be done by invoking the 'smc_pnet_find_ism_resource()' function, which will trigger the use-after-free condition in '__pnet_find_base_ndev()'.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is '233927b645cb7a14bb98d23ac72e4c7243a9f0d9', which is available in the Linux kernel stable tree.