Linux Kernel Ice Driver Out-of-Bounds Access Vulnerability in XSK Socket Management

A vulnerability in the Linux kernel's ice driver allows for out-of-bounds access to the receive ring array when using eBPF XDP sockets. This issue arises in versions of the kernel that include the affected ice driver, specifically when a user attempts to attach an XSK socket in transmit-only mode to a queue ID without a corresponding receive queue. The ice driver's logic requires both transmit and receive queues to be enabled and assigned an XSK pool, leading to a null pointer dereference and a kernel panic.

Impact

Exploitation of this vulnerability causes a null pointer dereference in the kernel, leading to a crash.

Reproduction

To reproduce this vulnerability, use the 'ethtool' command to set the receive and transmit queue levels for a network interface. Then, use the 'xdpsock' tool to attach an XSK socket in transmit-only mode to a queue ID that lacks a corresponding receive queue. This will trigger the out-of-bounds access to the receive ring array, causing a null pointer dereference and a kernel panic.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.