Linux Kernel PTP Clock Use-After-Free Vulnerability in MACB Driver

A use-after-free vulnerability has been identified in the Linux kernel's MACB Ethernet driver, specifically in the handling of Precision Time Protocol (PTP) clocks. This issue arises because the PTP clock is registered each time the interface is opened and removed when it is closed. However, the clock can still be accessed through the 'get_ts_info' ethtool call while the interface is active, leading to a use-after-free condition. The vulnerability was detected using Kernel Address Sanitizer (KASAN), which reported a read of freed memory by a task named 'syz.0.6'.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by opening a network interface that uses the MACB driver, which will register a PTP clock. While the interface is still active, the 'get_ts_info' ethtool command can be used to access the PTP clock information. This access occurs after the PTP clock has been unregistered, creating a use-after-free situation.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.