Linux Kernel Fore200e Adapter Use-After-Free Vulnerability in Tasklets During Device Removal

A use-after-free vulnerability has been identified in the Linux kernel's ATM fore200e driver, specifically related to the PCA-200E and SBA-200E adapters. When these adapters are detached, the associated fore200e structure is deallocated. However, the transmission and reception tasklets may still be active or pending. This can lead to a race condition where the freed fore200e structure is accessed again by the tasklets, causing a use-after-free bug. The vulnerability arises because the tasklets are not properly synchronized with the device removal process, allowing them to operate on deallocated memory.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a tasklet accesses memory that has already been freed. This can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, detach a PCA-200E or SBA-200E adapter while the associated transmission or reception tasklet is still running or pending. This can be done by calling the 'fore200e_pca_remove_one()' function, which initiates the device removal process. However, if the 'fore200e_interrupt()' function is called simultaneously on a different CPU, the tasklet may still be active when the 'fore200e' structure is freed, leading to a use-after-free condition.

Remediation

The vulnerability has been fixed by ensuring that the transmission and reception tasklets are properly canceled before the fore200e structure is released. This is done by adding the 'tasklet_kill()' function in the 'fore200e_shutdown()' function, which is responsible for cleaning up the device before it is deallocated. The 'tasklet_kill()' function should only be called when the fore200e state is ready for tasklets to be safely terminated.