Linux Kernel Clang Control Flow Integrity Vulnerability in TI Ethernet Driver

A vulnerability has been identified in the Linux kernel's TI Ethernet driver, specifically within the netcp_ndo_start_xmit function. This issue arises when using Clang's kernel control flow integrity (kCFI) feature, which validates indirect call targets against expected function pointer prototypes to mitigate return-oriented programming (ROP) attacks. The vulnerability occurs because the netcp_ndo_start_xmit function's return type is incorrectly defined as 'int', rather than the expected 'netdev_tx_t'. This mismatch causes a runtime failure, which can result in a kernel panic or the termination of a thread. The problem can be detected at compile time with a proposed warning in Clang, which reveals the incompatible function pointer types. The vulnerability has been addressed by correcting the return type of the netcp_ndo_start_xmit function to align with the expected prototype, thereby resolving the warning and the kCFI-related failure.

Impact

Exploitation of this vulnerability can lead to a runtime failure, causing either a kernel panic or the unexpected termination of a thread.

Reproduction

The vulnerability can be reproduced by compiling the Linux kernel with Clang, enabling the kernel control flow integrity feature. The Clang compiler will generate a warning about the incompatible function pointer types in the TI Ethernet driver's netcp_core.c file. This warning indicates that the netcp_ndo_start_xmit function is returning an 'int' instead of the required 'netdev_tx_t', which is an enumeration type used in the Linux networking stack.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version of the stable Linux kernel to apply this fix.