Linux Kernel i40e Driver Null Pointer Dereference Vulnerability During Reboot

A kernel crash vulnerability has been identified in the Linux kernel's i40e network driver. This issue occurs when the driver detects that the firmware is in recovery mode during the probe process. The driver skips crucial steps, including setting driver data, which leads to a null pointer dereference when the shutdown routine is called. The vulnerability can be reproduced by rebooting a system with an i40e NIC in firmware recovery mode, causing a kernel null pointer dereference error.

Impact

Exploitation of this vulnerability leads to a kernel null pointer dereference, causing a crash. The error occurs because the i40e driver fails to properly handle the recovery mode, leading to a dereference of a null pointer during the shutdown process.

Reproduction

To reproduce this vulnerability, first ensure that the i40e network interface card (NIC) is in firmware recovery mode. This can be verified through the system logs, which will indicate that the recovery mode is active and functionality is limited. Once the NIC is confirmed to be in recovery mode, initiate a reboot. During the reboot process, the i40e_shutdown function is called, which attempts to access driver data that was not properly set, resulting in a null pointer dereference and a kernel crash.

Remediation

The vulnerability has been addressed by modifying the i40e driver to ensure that the driver data is correctly set even when the firmware is in recovery mode. Users should update to the latest version of the Linux kernel where this fix has been applied.