Linux Kernel SFC Driver NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's SFC network driver, specifically in the EF10 statistics handling. This issue can lead to a kernel crash when the system attempts to read network statistics from a network interface card (NIC) that is in the process of resetting. During this reset, the NIC's statistics data is unavailable, causing a NULL dereference and a subsequent crash. The vulnerability arises because the statistics update function can be called at inopportune times, such as during an ethtool self-test, when the NIC has already been finalized and its data is NULL. The problem is exacerbated by a potential time-of-check to time-of-use (TOCTOU) race condition, which could be exploited if not properly managed.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, leading to a system crash.

Reproduction

The vulnerability can be reproduced by initiating an ethtool self-test on a network interface using the SFC driver. While the self-test is running, the NIC will reset, causing the statistics data to become unavailable. If the statistics update function is called during this time, it will attempt to access the NULL data, resulting in a kernel crash.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.