Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's network driver for the TI ICSSG PRU Ethernet (icssg-prueth). Specifically, a pointer to a CPPI descriptor's data (psdata) is accessed after the descriptor has already been freed. The functions emac_rx_packet() and emac_rx_packet_zc() free the descriptor too early, before the psdata pointer is used by emac_rx_timestamp(), which dereferences elements of psdata. This results in accessing memory that has been freed, which is unsafe and can cause undefined behavior.

The fix involves deferring the freeing of the descriptor until after all accesses through the psdata pointer are complete, ensuring the pointer is not used after the memory is freed.

Useful 0 Not Useful 0

Impact Analysis

A use-after-free vulnerability can lead to undefined behavior such as system crashes, data corruption, or potential security risks like arbitrary code execution if exploited. In this case, since the vulnerability occurs in the network driver receiving packets, it could be triggered by network traffic, potentially allowing an attacker to cause denial of service or execute malicious code within the kernel context.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is a use-after-free issue in the Linux kernel's ti: icssg-prueth driver related to CPPI descriptor handling in the RX path.

To mitigate this vulnerability, update your Linux kernel to a version where this issue is fixed. The fix involves deferring the freeing of the CPPI descriptor until after all accesses through the psdata pointer are complete.

Specifically, the fix moves the descriptor free operation to occur after the timestamp data is accessed, ensuring no use-after-free occurs.

Therefore, applying the vendor or distribution kernel update that includes this patch is the immediate recommended step.

Useful 0 Not Useful 0