Linux Kernel NULL Pointer Dereference Vulnerability in bnxt Ethernet Driver

A vulnerability in the Linux kernel's bnxt Ethernet driver can lead to a kernel panic due to a NULL pointer dereference. This issue occurs in the bnxt_get_queue_stats{rx | tx} functions, which collect per-queue statistics. The vulnerability arises because the driver accesses certain rings for statistics when the network interface is down, without performing a null check. As a result, the qstats-get operation can cause a kernel panic by attempting to read from a NULL reference, disrupting normal system operation.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a system crash.

Reproduction

To reproduce this vulnerability, take the following steps: 1. Bring the network interface down using the 'ip link set $interface down' command. 2. Execute the 'qstats-get' operation using a Python script, such as 'cli.py' or 'stats.py', which requests queue statistics from the interface. This sequence will trigger the vulnerability by causing the driver to access uninitialized rings, resulting in a NULL pointer dereference and a kernel panic.