Linux Kernel iavf Driver Out-of-Bounds Write Vulnerability

A vulnerability in the Linux kernel's iavf driver can lead to out-of-bounds writes in the function iavf_get_ethtool_stats(). This issue arises because iavf incorrectly relies on real_num_tx_queues for ETH_SS_STATS, a value that can change during runtime. Instead, it should use num_tx_queues, which remains constant after the device is created. The problem is exacerbated by the fact that iavf_get_ethtool_stats() uses num_active_queues, while related functions like iavf_get_sset_count() and iavf_get_stat_strings() reference real_num_tx_queues. This discrepancy can cause out-of-bounds writes when "ethtool -L" and "ethtool -S" are executed simultaneously, particularly when changing channels, as demonstrated in the provided example.

Impact

Exploitation of this vulnerability causes out-of-bounds writes, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by running the command 'ethtool -L' to change the active channels while simultaneously executing 'ethtool -S' to request statistics. This timing conflict triggers the out-of-bounds write by accessing a memory buffer that has not been properly updated.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.