Linux Kernel PCI Rescan Service Vulnerability Leading to Use-After-Free Crash

A use-after-free vulnerability has been identified in the Linux kernel's PCI rescan service for the Microsoft Azure Network Adapter (MANA). This issue arises when the 'mana_serv_reset()' function calls 'mana_gd_suspend()', which cleans up and destroys the workqueue used for servicing events. If the subsequent 'mana_gd_resume()' fails, the code proceeds to 'mana_serv_rescan()', triggering a PCI device removal that invokes the cleanup process again, attempting to destroy the already-freed workqueue. This flaw can cause a crash by accessing freed memory, creating a potential exploitation vector.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a crash by accessing deallocated memory. Such use-after-free vulnerabilities can often be exploited to execute arbitrary code or cause other unintended behavior.

Reproduction

To reproduce this vulnerability, reset the MANA service in a scenario where the 'mana_gd_resume()' function fails with a timeout or protocol error. This will trigger the 'mana_serv_rescan()' function, which removes the PCI device and causes the cleanup process to run twice, attempting to destroy the workqueue after it has already been freed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.