CVE-2023-54015

Vulnerability

Analysis

In the Linux kernel's net/mlx5 driver, the function mlx5_devcom_register_device contains a critical error in its failure path. When devcom allocation fails, the code unconditionally frees the priv structure. However, this priv may have been allocated by a different thread, and freeing it incorrectly can cause a use-after-free condition [1][2].

Exploitation

The vulnerability arises during device registration in the Mellanox (now Nvidia) mlx5 network driver. An attacker would need to trigger a devcom allocation failure, potentially through resource exhaustion or specific race conditions. The incorrect error handling then frees memory that might still be in use by another thread [1][3].

Impact

A local attacker with sufficient privileges could exploit this bug to cause a use-after-free, leading to kernel memory corruption. This could result in a denial of service (system crash) or potentially allow privilege escalation, as use-after-free flaws in kernel drivers are often leveraged for arbitrary code execution in the kernel context [2][3].

Mitigation

The fix, which has been applied to the stable kernel tree, ensures that priv is freed only if it was allocated by the current thread. Users should update their Linux kernel to a version containing the commit addressing this issue [1][2].