Linux Kernel RDMA/SIW NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's RDMA/SIW component can lead to a NULL pointer dereference. This issue occurs in versions of the Linux kernel prior to the latest patch. The problem arises in the header processing of the RDMA/SIW driver, specifically within the 'siw_tcp_rx_data()' function. If the 'siw_get_hdr()' function returns an error before the 'set_rx_fpdu_context()' is called, the 'qp->rx_fpdu' pointer can be NULL. The current error handling in 'siw_tcp_rx_data()' improperly dereferences 'qp->rx_fpdu->more_ddp_segs' without verifying if 'rx_fpdu' is valid, potentially leading to a crash. This vulnerability has been addressed in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can cause a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by simulating a scenario where 'siw_get_hdr()' returns an error before 'set_rx_fpdu_context()' is executed. This can be done by creating a condition that triggers the error response in 'siw_get_hdr()', while ensuring that the 'siw_tcp_rx_data()' function processes the incoming data. The lack of a valid 'rx_fpdu' context will cause the function to dereference a NULL pointer, leading to a crash. This issue can be observed using the Kernel Address Sanitizer (KASAN), which will report the null pointer dereference error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.