Linux Kernel CT Rule Cleanup Vulnerability in Mellanox MLX5 Driver

A vulnerability exists in the Linux kernel's handling of connection tracking (CT) rules within the Mellanox MLX5 Ethernet driver. The issue arises because the cleanup process for CT rules is not properly synchronized, leading to a warning trace about a double-free error. Specifically, the CT cleanup is performed before all traffic control (TC) rules have been deleted, causing shared CT resources to be prematurely removed. This vulnerability can be reproduced by loading a module that interacts with the MLX5 driver, which will trigger the improper cleanup sequence.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing a double-free error that could potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by loading a network module that uses the Mellanox MLX5 driver. This can be done by using the 'modprobe' command to load the module. The improper cleanup sequence will be triggered, leading to the warning trace that indicates a double-free error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.