Linux Kernel idpf Driver NULL Pointer Dereference Vulnerability in RSS Lookup Table Management

A NULL pointer dereference vulnerability has been identified in the Linux kernel's idpf driver, specifically in the management of the Receive Side Scaling (RSS) Lookup Table (LUT). This issue occurs because the RSS LUT is not initialized until the network interface is activated. As a result, performing certain ethtool operations, such as toggling the rxhash feature, before the interface is brought up for the first time can lead to a crash. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, load the idpf driver using 'modprobe idpf', which will create the necessary network interfaces. Before activating the interfaces, use 'ethtool -K eth2 rxhash off' to disable the rxhash feature on the second Ethernet interface. This action will trigger the NULL pointer dereference, causing a kernel crash.

Remediation

The vulnerability has been addressed in the Linux kernel by moving the initialization of the RSS LUT to the virtual port creation stage, ensuring that the LUT is always available before any ethtool operations are performed. Users should update to the latest version of the Linux kernel where this fix has been applied.