CVE-2023-54240

Vulnerability

CVE-2023-54240 is a NULL pointer dereference vulnerability in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc). The flaw resides in the mtk_hwlro_get_fdir_all() function, which is called during the ethtool_get_rxnfc operation. The function uses a buffer (rule_locs) whose size is determined by the rule_cnt value provided from user space. If rule_cnt is zero or otherwise invalid, the allocation may be skipped or insufficient, leading to a NULL pointer dereference when the function when the code attempts to use rule_locs without first verifying that rule_cnt is valid [1][2][3].

Exploitation

An attacker with local access and the ability to issue ethtool commands (specifically ETHTOOL_GRXCLSRLALL or similar) can trigger this vulnerability. No special privileges beyond the ability to call the affected ioctl are required, though the attacker must have access to a network interface using the mtk_eth_soc driver. The attack surface is limited to systems with MediaTek Ethernet hardware and the corresponding kernel driver loaded.

Impact

Successful exploitation results in a kernel NULL pointer dereference, which typically causes a system crash (denial of service). In some configurations, this could potentially be leveraged for privilege escalation, but the primary impact is a denial-of-service condition on the affected system.

Mitigation

The fix has been applied in the Linux kernel stable tree via commits [1], [2], and [3]. Users should update their kernel to a version containing the patch. No workaround is available other than applying the kernel update.