Linux Kernel Open vSwitch Improper Net Device Management Leading to Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Open vSwitch (OVS) component, specifically within the netdev management of OVS ports. This issue arises because the teardown process for OVS ports has been modified to avoid taking the RTNL lock unconditionally. As a result, the netdev_destroy() function can now immediately proceed to call_rcu() if the IFF_OVS_DATAPATH flag has been cleared on the netdev. The problem occurs in the ovs_netdev_detach_dev() function, which clears the flag before finishing the unregistration. In real-time kernels, this can lead to a scenario where netdev_destroy() completes and frees the device before the unregistration is fully processed, causing a general protection fault by accessing a non-canonical address.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to a use-after-free condition that accesses a freed memory address, leading to a crash or potential arbitrary code execution.

Reproduction

To reproduce this vulnerability, create an Open vSwitch port and then unlink it while the OVS datapath flag is set. If the operation is preempted after clearing the flag, the netdev can be destroyed and freed before the unregistration is complete, causing a crash.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.