Linux Kernel MACsec Offload Null Pointer Dereference Vulnerability in mlx5e Driver

A null pointer dereference vulnerability has been identified in the Linux kernel's mlx5e driver, specifically related to MACsec offload features for uplink representor profiles. In switchdev mode, MACsec offload is not supported for uplink representors. When a netdevice is switched to the uplink representor profile, the MACsec offload feature must be disabled. Failure to do so leads to a null pointer dereference, as the uplink representor cannot handle MACsec offload, even though the feature bit remains active. This issue has been observed in kernel version 6.14.0-rc4.

Impact

Exploitation of this vulnerability causes a general protection fault due to a null pointer dereference, which can lead to a crash of the affected system or component.

Reproduction

The vulnerability can be reproduced by enabling MACsec offload on a netdevice configured as an uplink representor in switchdev mode. When the netdevice is switched to the uplink representor profile, the MACsec offload feature should be manually cleared. If the feature is left enabled, attempts to add offloads will result in a null pointer dereference, causing a general protection fault.

Remediation

The MACsec offload feature should be disabled for netdevices using the uplink representor profile in switchdev mode.