Shay Drory

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61 Description: A null pointer dereference issue has been identified in the Linux kernel's net/mlx5 component. The problem occurs due to incorrect initialization of the command bitmask, specifically the bit for the `MANAGE PAGES` command. This can lead to a null pointer dereference error when `mlx5 cmd trigger completions()` attempts to trigger completion for the `MANAGE PAGES` command before it has been invoked. The issue can result in a null-ptr-deref error, as seen in the `mlx5 cmd trigger completions+0x1db/0x600` function. Recommendations: To resolve this issue, update to Linux kernel version 6.6.61 or later. As a temporary workaround, consider disabling the `mlx5 cmd trigger completions()` function until a patch is available. Restrict access to the `net/mlx5` component to minimize the risk of exploitation. Avoid using the `MANAGE PAGES` command in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.0-68.fc38.x86 64 **Description** The vulnerability is related to the net/mlx5 driver in the Linux kernel. If the teardown hca function fails during driver removal, the health timer is not stopped, which can lead to a Use-After-Free (UAF) bug. This bug results in a page fault, as the health timer invokes after resources have been freed. The issue is resolved by stopping the health monitor even if teardown hca fails. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, update to a version later than 6.7.0-68.fc38.x86 64. As a temporary workaround, consider disabling the health timer during driver removal to prevent the UAF bug. However, this is not a permanent solution and updating the kernel is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.5.0 **Description** The vulnerability is related to the net/mlx5e driver in the Linux kernel. It occurs when the `mlx5e suspend` function cleans resources only if `netif device present()` returns true, but `mlx5e resume` changes the state of netif via `mlx5e nic enable` only if `reg state` equals `NETREG REGISTERED`. This can lead to a NULL pointer dereference and memory leaks in certain cases. The issue arises when `mlx5e probe` calls ` mlx5e resume`, which in turn calls `mlx5e attach netdev` and `mlx5e nic enable`. If `register netdev` fails, `netif device present` returns false, and resources are not freed, resulting in a memory leak. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the net/mlx5e driver. Specifically, ensure that the kernel version is 6.5.0 or later, as this version includes the necessary patches to address the vulnerability. If updating the kernel is not feasible, consider applying the patch for the net/mlx5e driver to the existing kernel version to fix the issue.