Linux Kernel SATA Driver Out-of-Bounds Write Vulnerability Leading to NULL Pointer Dereference

A vulnerability in the Linux kernel's SATA driver for the DWC 460EX controller has been fixed. The issue was an out-of-bounds write that caused a crash by dereferencing a NULL pointer. This vulnerability arose because the driver improperly handled 'tag' values from libata, leading to memory access errors. The crash occurred when the driver nullified a DMA channel pointer, which was then passed to a DMA engine configuration function, causing a kernel panic. The vulnerability was reported on the OpenWrt Forum and is related to the driver's management of command tags and queue sizes.

Impact

Exploitation of this vulnerability led to a kernel crash due to a NULL pointer dereference, causing a denial of service by interrupting normal system operations.

Reproduction

The vulnerability can be reproduced by using the affected SATA driver with a PowerPC 44x platform running a 4K page size kernel. The issue arises when the driver processes 'tag' values, particularly after the ATA_TAG_INTERNAL value is increased to 32, without properly adjusting the command queue size, which should not exceed 32.

Remediation

The vulnerability has been addressed in the Linux kernel by adjusting the SATA driver to properly account for the updated 'tag' values, ensuring that the command queue size does not exceed the maximum allowed.