Linux Kernel Net MLX5E TC Use-After-Free Vulnerability in NIC Mode

A use-after-free vulnerability has been identified in the Linux kernel's net/mlx5e TC (traffic control) component. This issue arises when the eswitch object mapping pool is used in NIC (network interface card) mode, where it has not been properly initialized. The vulnerability leads to a slab-use-after-free error, allowing a read of freed memory, which can potentially be exploited. The problem occurs in versions of the Linux kernel that include the vulnerable mlx5_core module, specifically in the context of traffic control actions.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where freed memory is accessed, leading to potential memory corruption. In this case, it could be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by enabling eswitch offloads in a Mellanox NIC that is set to NIC mode. This can be done using the 'devlink' command to set the eswitch mode to 'on', and then applying traffic control rules that trigger the flow offload actions. The use-after-free error can be observed in the kernel log, indicating that the vulnerability has been successfully exploited.

Remediation

Users can switch the eswitch mode to 'off' or avoid applying traffic control rules that trigger the vulnerable flow offload actions. Additionally, upgrading to a patched version of the Linux kernel is recommended.