Linux Kernel RDMA/mlx5 Hardware Statistics Handling Vulnerability

A vulnerability exists in the Linux kernel's RDMA/mlx5 component, specifically in the hardware statistics handling function 'mlx5_ib_get_hw_stats()'. When this function is called for the device (port_num = 0), it requires special handling to access the correct counters. However, the port_num is passed down the stack unchanged, leading to incorrect assumptions that port_num is always greater than or equal to 1. This discrepancy can cause a page fault error, as the function attempts to access a non-existent page in kernel mode, resulting in a crash. The issue has been observed in Linux kernel version 6.1.0-rc4.

Impact

The vulnerability can lead to a kernel crash due to a page fault error, caused by improper handling of device port statistics, particularly when the port number is set to zero.

Reproduction

To reproduce this vulnerability, use a device with the RDMA/mlx5 driver and invoke the 'mlx5_ib_get_hw_stats()' function with the port_num parameter set to 0. This will trigger the incorrect handling of hardware statistics, as the function expects a port number of at least 1. The resulting page fault error can be observed in the kernel logs, indicating a supervisor write access violation due to a not-present page.

Remediation

The vulnerability has been addressed in the Linux kernel stable tree. Users can upgrade to the latest version to apply the fix.