Linux Kernel NULL Pointer Dereference Vulnerability in XFRM Packet Offload Mode

A vulnerability in the Linux kernel's XFRM (IPsec) processing can lead to a NULL pointer dereference, causing a kernel panic. This issue occurs when packets handled by hardware are offloaded with an unnecessary secpath entry, which is not removed during IP forwarding. As a result, packets re-enter the driver transmission path with xfrm_offload set, leading to a crash. The vulnerability has been observed in the mlx5 driver.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, enable IP forwarding on the system. When packets are processed by hardware through the mlx5 driver, the XFRM offload feature adds a secpath entry to indicate that the packets have already been handled. However, the secpath entry is not removed as it should be, allowing the packets to re-enter the transmission path with xfrm_offload set. This triggers a kernel panic as the system encounters a NULL pointer dereference.