Linux Kernel MVPP2 Ethernet Driver Out-of-Bounds Write Vulnerability in ETHTOOL_RXNFC Handling

A vulnerability allowing a potential out-of-bounds write has been identified in the Linux kernel's MVPP2 Ethernet driver. This issue arises in the 'mvpp2_ethtool_get_rxnfc' function, where the size of the 'rules' array is determined by 'rule_cnt' from user space. If 'rule_cnt' is not properly validated before use, it can lead to out-of-bounds writes or null pointer dereferences.

Impact

The vulnerability could be exploited to cause an out-of-bounds write, potentially leading to memory corruption or a null pointer dereference.

Reproduction

The vulnerability can be reproduced by invoking the 'ETHTOOL_GRXCLSRLALL' command in the 'mvpp2_ethtool_get_rxnfc' function without proper validation of the 'rule_cnt' parameter. This can be done by sending a request that specifies a 'rule_cnt' value that exceeds the actual size of the 'rules' array, causing an out-of-bounds write.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is '349638f7e5d3c7d328565587bb7b0454bbee02e2', which is included in the Linux kernel stable tree.