Linux Kernel Net/Mlx5e Secpath Removal Vulnerability

A vulnerability in the Linux kernel's net/mlx5e component can lead to a kernel crash. This issue arises when a decrypted packet's xfrm state is not found, causing the secpath extension on the socket buffer (skb) to remain, despite the state being invalid. Functions that rely on this secpath can then dereference a null or invalid pointer, leading to a page fault and crash. The vulnerability is present in several versions of the Linux kernel.

Impact

The vulnerability causes a kernel crash due to a null pointer dereference, which is a common issue that can lead to a denial of service.

Reproduction

The vulnerability can be reproduced by processing a decrypted packet in the net/mlx5e component when the corresponding xfrm state has been freed. This can be done by applying the IPsec Rx data path offload feature, which is available in the Connect-X hardware. When the packet is received, the xfrm state lookup will fail, but the secpath extension will not be cleared. Subsequent processing will then attempt to access the invalid xfrm state, causing a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The patch is included in the official Linux kernel repositories.