bridge MST VLAN UAF

Vulnerability analysis

Summary: The br_mst_set_state function in the Linux bridge MST (Multiple Spanning Tree) implementation contains a use-after-free vulnerability due to incorrect RCU (Read-Copy-Update) usage when dereferencing VLAN group structures.

Root Cause: The function was converted to use RCU protection to prevent VLAN use-after-free issues, but the developer forgot to update the VLAN group dereference helper from nbp_vlan_group() to nbp_vlan_group_rcu(). This creates a mismatch where the code is running under RCU read lock but using a non-RCU-safe dereference helper, potentially accessing freed memory.

Attack Surface: This vulnerability affects bridge networking functionality and requires local access to trigger MST state changes. The attack surface is limited to systems using bridge MST features and requires the ability to manipulate bridge port states, typically requiring elevated privileges or network configuration access.

Fix Mechanism: The patch changes the VLAN group dereference from nbp_vlan_group(p) to nbp_vlan_group_rcu(p) to use the proper RCU-safe helper function that matches the RCU read lock context already established in the function.