Linux Kernel NULL Pointer Dereference Vulnerability in MTK Ethernet PPE Offload

A vulnerability in the Linux kernel's handling of MediaTek Ethernet PPE offloading can lead to a system crash. When the GMAC0 interface is disabled, the code fails to properly check for a valid ingress device, resulting in a NULL pointer dereference. This occurs because the first network device in the MTK Ethernet structure is NULL, yet the code attempts to access its operations. The issue can be exploited by triggering a flow offload replacement while GMAC0 is disabled, causing the kernel to dereference a NULL pointer and crash the system.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a system crash.

Reproduction

To reproduce this vulnerability, disable the GMAC0 interface on a device running the affected Linux kernel. Then, initiate a flow offload replacement process that requires a valid ingress device. The system will attempt to access the network operations of the first MTK Ethernet device, which will be NULL, causing a NULL pointer dereference and a kernel panic.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the Linux kernel can be found in the official Linux documentation.