Linux Kernel Microsoft Azure Network Adapter Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Microsoft Azure Network Adapter (MANA) driver. This issue arises in the 'mana_hwc_destroy_channel()' function, where the 'caller_ctx' is freed before the Completion Queue (CQ) and Event Queue (EQ) are properly destroyed. As a result, an in-flight CQ interrupt handler can access freed memory, causing either a use-after-free condition or a NULL pointer dereference in the 'mana_hwc_handle_resp()' function. The vulnerability is exacerbated by a lack of synchronization with IRQ handlers running on other CPUs, allowing concurrent event handlers to dereference freed memory, leading to potential memory corruption.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, allowing for memory corruption or a NULL pointer dereference, which could lead to a crash or other undefined behavior.

Reproduction

The vulnerability can be reproduced by triggering the 'mana_hwc_destroy_channel()' function while an IRQ handler is still executing on a different CPU. This can be done by creating a hardware channel and then destroying it without properly synchronizing the IRQ handlers, allowing the 'caller_ctx' to be freed while it is still being accessed by an interrupt handler.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patch is available in the Linux kernel stable tree.