Linux Kernel NULL Pointer Dereference Vulnerability in net/mlx5e TC Flow Management

A vulnerability in the Linux kernel's handling of TC steering flows for the Mellanox mlx5 driver can lead to a NULL pointer dereference. This issue occurs in versions of the kernel through 6.18.0, when the TC steering flows are deleted. The process incorrectly assumes all ports are available, potentially leading to a crash by accessing non-existent peers. The vulnerability arises from an improper cleanup of TC flows, which should only target active connections.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the affected system.

Reproduction

The vulnerability can be reproduced by deleting TC steering flows while the driver is connected to a peer. This can be done using the 'tc' command to manage traffic control settings, which will trigger the flow deletion process. The improper handling will cause the kernel to attempt to access a non-existent peer, resulting in a NULL pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.