Linux Kernel IPMI Interface Use-After-Free and List Corruption Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem. This issue arises when the SMI (System Management Interrupt) sender reports an error. The error handling process fails to properly clear the current message, leading to a situation where the same message is processed multiple times. This repeated processing causes list corruption by adding the same message to the user message list twice. The corrupted list management eventually results in a use-after-free condition, where freed memory is accessed again, causing a NULL pointer dereference.

Impact

Exploitation of this vulnerability leads to memory management issues, including use-after-free conditions and NULL pointer dereferences, which can be exploited to cause memory corruption or arbitrary code execution.

Reproduction

To reproduce this vulnerability, send an SMI message that triggers an error response. The error handling will fail to clear the current message properly, allowing the same message to be processed again. This will cause the received message to be queued for delivery twice, leading to list corruption. Once the list is corrupted, the vulnerability can be exploited by accessing the freed memory, causing a NULL pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.