Linux Kernel Ethtool Buffer Overflow Vulnerability in Stats Query

A vulnerability in the Linux kernel's ethtool implementation can lead to a buffer overflow in userspace when querying statistics. This issue arises because the ethtool -S command relies on three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of statistics changes between these calls, such as during device reconfiguration, the buffer allocation in userspace may become incorrect, potentially causing an overflow. While most drivers are expected to maintain stable statistic counts, some, like mlx5, bnx2x, bna, and ksz884x, use dynamic counters that can lead to this scenario. Although certain drivers attempt to manage this internally, the problem persists. The vulnerability has been addressed by modifying the ethtool functions to prevent returning data in cases where there is a mismatch between the expected and actual sizes, thereby avoiding the overflow.

Impact

Exploitation of this vulnerability can lead to a buffer overflow in userspace, a common cause of memory corruption vulnerabilities.

Reproduction

The vulnerability can be reproduced by using the ethtool -S command on a network interface managed by a driver that uses dynamic statistics counters, such as mlx5, bnx2x, bna, or ksz884x. The command will trigger the vulnerability by causing a mismatch between the expected and actual statistics count, leading to an overflow of the userspace buffer.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux kernel documentation.