Linux Kernel Net/Mellanox MLX5 Representor Neighbour Cleanup Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of representor neighbour entries for Mellanox MLX5 devices. This issue arises in the Ethernet switch (eswitch) offloading context, particularly with IP tunnel encapsulation in Equal-Cost Multipath (ECMP) mode. When a driver is unloaded, the associated neighbour information on the peer uplink representor is prematurely cleaned up, leading to a slab-use-after-free error. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a use-after-free error, which can lead to memory corruption issues commonly associated with such errors, potentially allowing for arbitrary code execution or other unintended behavior.

Reproduction

The vulnerability can be reproduced by offloading an encapsulation rule in ECMP mode on a Mellanox MLX5 device. When the driver is unloaded, the peer rule on the corresponding eswitch is deleted, triggering the use-after-free error as the neighbour information has already been cleared up on the uplink, but not yet on the peer representation.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version can be found in the Linux kernel documentation.