| The vulnerability occurs in the Linux kernel, specifically in the Mellanox mlx5 Ethernet driver. The issue arises from incorrect memory access in the `mlx5e_get_next_valid_encap()` function, which is used to iterate over encapsulation entries in a neighbor table. |
| |
| The function uses a hardcoded check for a 'valid' flag value, but this check is not sufficient to ensure that the encap entry is properly initialized. This can lead to out-of-bounds memory access and potential crashes or exploitation by an attacker. |
| |
| The fix involves refactoring the `mlx5e_get_next_valid_encap()` function to use a callback to test whether a flow is matching, rather than relying on a hardcoded check. Additionally, a new helper function `mlx5e_get_next_init_encap()` is introduced to safely iterate over nhe->encap_list. |
| |
| The vulnerability was introduced in Linux kernel version 5.4 and was fixed in versions 5.12.13 and 5.13. The affected files are: |
| |
| * drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c |
| * drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c |
| * drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c |
| * drivers/net/ethernet/mellanox/mlx5/core/en_tc.h |
| |
| The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, as individual changes are not tested alone and may have unintended consequences. |
| |
