Linux Kernel i40e Driver Debugfs Read Access Vulnerability

A vulnerability has been identified in the Linux kernel's i40e driver, specifically in the 'command' and 'netdev_ops' debugfs files. These files, part of a legacy debugging interface, have been exposed since the early days of the i40e driver. They provide a read handler that is largely ineffective and based on questionable logic. Both files utilize a static 256-byte buffer, which is initialized to an empty string. The 'command' file's buffer is never utilized, while the 'netdev_ops' file stores the last command written. When read, the files present their contents as the device name followed by a colon and the buffer's contents. This static buffer is shared among all devices managed by the i40e module, creating potential for simultaneous access issues due to a lack of locking mechanisms.

Impact

Exploitation of this vulnerability could lead to arbitrary kernel memory being read, particularly through the 'netdev_ops' debugfs file.

Reproduction

The vulnerability can be reproduced by writing a command into the 'netdev_ops' debugfs file and then reading from it. If the command input is carefully crafted, it can overflow the static buffer, causing the 'copy_to_user' function to read beyond the allocated buffer size, thereby accessing arbitrary kernel memory.

Remediation

The vulnerability has been addressed by removing the read access to the 'command' and 'netdev_ops' debugfs files. Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.