Linux Kernel NVMe Controller Admin Request Queue Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's NVMe controller management. This issue arises because namespaces can access the controller's admin request queue, potentially leading to stale references after the controller is torn down. The vulnerability was introduced in version 6.13.2 and can be exploited by accessing the freed memory, causing a slab-use-after-free error. The vulnerability has been fixed by ensuring the admin request queue is properly managed, preventing unauthorized access to the request queue after the controller is removed.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where memory that has been freed is still accessed, potentially causing memory corruption or allowing execution of arbitrary code.

Reproduction

To reproduce this vulnerability, create a scenario where an NVMe controller is removed while namespaces still hold references to its admin request queue. This can be done by manipulating NVMe namespaces and controllers in a way that the controller is torn down before all references are released, allowing for a use-after-free condition when the admin request queue is accessed.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.