Linux Kernel NULL Pointer Dereference Vulnerability in Intel Ice Ethernet Driver Low Latency Timestamp Handling

A vulnerability in the Linux kernel's Intel Ice Ethernet driver can lead to a NULL pointer dereference or use-after-free error. This issue arises in the 'ice_ll_ts_intr' function, which handles low latency transmit timestamps. The vulnerability occurs because the function does not verify if the timestamp tracking structure is initialized before accessing it. Recent E810 firmware updates introduced a low latency interrupt, allowing software to wait for the interrupt instead of polling registers. The 'ice_ptp_tx' structure, used to track which transmit timestamps have completed, is vulnerable to improper handling, similar to issues previously fixed in the 'ice_ptp_ts_irq' function.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash, or a use-after-free error, which could potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using an Intel Ethernet E810 adapter with the affected Linux kernel version and firmware that supports the low latency timestamp feature. When the low latency interrupt is triggered, the 'ice_ll_ts_intr' function is called without the necessary initialization check, causing the NULL dereference or use-after-free error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patch is available in the Linux kernel stable tree.