Linux Kernel BNXT Driver Null Pointer Dereference Vulnerability After XDP Detachment

A null pointer dereference vulnerability has been identified in the Linux kernel's BNXT Ethernet driver. This issue arises when the eXpress Data Path (XDP) is detached from a network interface, leading to a crash. The vulnerability occurs because the driver fails to properly reconfigure the Receive Side Scaling (RSS) hash table, especially when XDP is turned off. As a result, the RSS map may not be updated correctly, causing a kernel crash by accessing a freed memory ring.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a null pointer dereference, caused by the driver accessing a freed memory ring.

Reproduction

To reproduce this vulnerability, first attach an XDP program to a network interface using the 'ip link set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp' command. Then, detach the XDP program by setting 'xdp off' on the same interface. After detaching XDP, check the status of the Generic Receive Offload (GRO) feature using 'ethtool -k eth0 | grep gro'. The GRO feature should be off. The vulnerability occurs because the driver does not automatically re-enable GRO after XDP is detached. If the number of receive rings is then reduced, it can interfere with the RSS configuration, leading to a null pointer dereference and a kernel crash.