Linux Kernel SCSI qla2xxx NULL Pointer Dereference Vulnerability in Abort Command Handling

A vulnerability has been identified in the Linux kernel's SCSI qla2xxx driver, specifically in the command abortion process. The issue arises from a NULL pointer dereference, which occurs when the driver incorrectly assumes the command type without proper validation. This flaw can lead to a kernel crash, particularly in target mode when handling certain command types. The vulnerability is present in Linux kernel versions through 6.1.133.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by triggering the SCSI qla2xxx driver's command abortion process in target mode, with commands of type TYPE_TGT_CMD. This can be done by simulating a scenario where the driver needs to abort commands without the proper locks, allowing a race condition to occur that leads to the NULL pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.