Linux Kernel Use-After-Free and Memory Leak Vulnerability in LAN966X FDMA Reload Function

A use-after-free vulnerability and memory leak have been identified in the LAN966X Ethernet driver of the Linux kernel. This issue arises in the 'lan966x_fdma_reload()' function when it fails to allocate new receive (RX) buffers. The function then attempts to restart Direct Memory Access (DMA) using old descriptors, whose pages have already been freed. This can lead to DMA operations targeting memory now managed by other kernel subsystems, causing potential data corruption or instability. Furthermore, the function overwrites a newly created page pool (if the allocation was only partially successful) without properly releasing it first, resulting in a memory leak.

Impact

Exploitation of this vulnerability can cause memory corruption by allowing DMA to write into freed memory, which could lead to unpredictable behavior or crashes. Additionally, the memory leak can contribute to increased resource usage and potential exhaustion of system memory.

Reproduction

The vulnerability can be reproduced by invoking the 'lan966x_fdma_reload()' function with a new MTU value that triggers a failure in RX buffer allocation. This can be done by simulating a low-memory condition or by modifying the function to intentionally fail the allocation. Once the function is executed under these conditions, the vulnerability will manifest as the restore path incorrectly handles the old descriptors and page pool, leading to a use-after-free situation and a memory leak.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patches can be downloaded from the Linux kernel Git repository.