Linux Kernel NULL Dereference Vulnerability in stmmac Driver When RX Memory Exhausted

A vulnerability in the Linux kernel's stmmac Ethernet driver can lead to a NULL pointer dereference. This issue occurs when the receive (RX) memory is exhausted, causing the driver to mismanage DMA descriptor ownership between the CPU and the MAC. The problem arises because the RX descriptor management confuses 'full' and 'dirty' states, allowing the driver to mistakenly process empty descriptors as valid. The flaw can be triggered when the stmmac_rx_refill() function fails to allocate new buffers, leaving behind 'dirty' descriptors that the main receive loop can incorrectly interpret, leading to a system panic.

Impact

Exploitation of this vulnerability causes a system panic due to a NULL pointer dereference, disrupting normal operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by exhausting the RX memory while using the stmmac Ethernet driver. This can be done by filling the RX buffers without allowing the stmmac_rx_refill() function to allocate new ones, creating a scenario where the 'dirty' descriptors are left unprocessed. Once the 'cur_rx' index catches up to the 'dirty_rx' marker, the driver will panic, indicating a NULL dereference error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.