Linux Kernel RDMA/cxgb4 Null Pointer Dereference Vulnerability in pass_establish()

A potential null pointer dereference vulnerability has been identified in the Linux kernel's RDMA/cxgb4 component. This issue arises in the pass_establish() function, where the get_ep_from_tid() call may fail to retrieve a valid endpoint reference. Consequently, the endpoint pointer is dereferenced later in the function, leading to a potential crash if the value is null. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a null pointer dereference, causing a kernel crash and potentially disrupting system operations.

Reproduction

The vulnerability can be reproduced by triggering the pass_establish() function in the RDMA/cxgb4 component with a transaction ID that does not correspond to a valid endpoint. This can be done by manipulating the RDMA connection establishment process to use an invalid or non-existent transaction ID, causing the get_ep_from_tid() function to return a null value. When the function subsequently attempts to dereference the null endpoint pointer, a kernel crash occurs, demonstrating the null pointer dereference vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The patch is included in the official Linux kernel repositories.