Maciej Fijalkowski

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.15.0-rc5+ Description: The vulnerability is related to a NULL pointer dereference in the Linux kernel, specifically in the ice driver. The issue occurs when the Rx queue count differs from the Tx queue count, causing a hidden bug to be exposed. The vulnerability can be triggered when ethtool -L is used and XDP rings are configured. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - The `ice vsi free arrays()` function is vulnerable. - The `ice vsi rebuild()` function is also affected. - The `devres remove()` function is involved in the NULL pointer dereference. - The `ethtool -L` command can trigger the vulnerability when XDP rings are configured. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for the ice driver, taking into account the value that `num possible cpus()` yields in addition to `vsi->alloc txq` instead of doubling the latter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.0 **Description** The issue arises from a null pointer dereference in the Linux kernel when using multi-buffer BPF helpers for ZC XDP. This occurs when a packet is shrunk via the `bpf xdp adjust tail()` function and the memory type is set to `MEM TYPE XSK BUFF POOL`. The null pointer dereference happens because the `xdp buff` argument passed to the ` xdp return()` call is NULL, which is supposed to be consumed by the `xsk buff free()` call. To address this properly, a node representing the frag being removed needs to be pulled out of the `xskb list`. Introducing appropriate xsk helpers for this node operation and using them within `bpf xdp adjust tail()` resolves the issue. **Recommendations** To resolve the issue for Linux kernel versions prior to 6.6.0, update the kernel to version 6.6.0 or later. If updating is not feasible, consider temporarily disabling the use of multi-buffer BPF helpers for ZC XDP until a patch is available. Additionally, restrict access to the vulnerable `bpf xdp adjust tail()` function to minimize the risk of exploitation.