Linux Kernel NULL Pointer Dereference Vulnerability in SFC Driver XDP Queue Handling

A vulnerability in the Linux kernel's SFC network driver has been identified, leading to a NULL pointer dereference kernel panic. This issue occurs when the receive and transmit ring buffer sizes are changed, and the driver reallocates and reinitializes the queues and their buffers. However, it fails to properly reinitialize the XDP (eXpress Data Path) queues. As a result, when the driver acts on XDP_TX or XDP_REDIRECT, it references an uninitialized buffer, causing a kernel panic. The vulnerability has been addressed by separating the XDP queue handling into a new function, efx_set_xdp_channels(), to ensure proper initialization.

Impact

Exploitation of this vulnerability leads to a kernel panic caused by a NULL pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

To reproduce this vulnerability, change the receive and transmit ring buffer sizes using ethtool. This action will trigger the SFC driver to reallocate and initialize the receive and transmit queues. However, the XDP queues will not be properly reinitialized. When the driver then processes packets using XDP_TX or XDP_REDIRECT, it will use an uninitialized buffer, causing a NULL pointer dereference and a kernel panic.

Remediation

The vulnerability has been fixed in the official Linux kernel repository. Users should upgrade to the latest version where this issue has been addressed.