Linux Kernel FPGA Subsystem Integer Overflow Vulnerability in IRQ Management

A vulnerability has been identified in the Linux kernel's FPGA subsystem, specifically within the 'dfl_feature_ioctl_set_irq' function. This issue arises from an integer overflow caused by the multiplication of 'hdr.count' and 'sizeof(s32)', which can exceed the maximum value on 32-bit systems. The overflow leads to memory corruption. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause memory corruption, potentially leading to arbitrary code execution or a system crash.

Reproduction

The vulnerability can be reproduced by invoking the 'dfl_feature_ioctl_set_irq' function with a header count that, when multiplied by the size of a 32-bit integer, exceeds the maximum value for an integer on a 32-bit system. This can be done by crafting an appropriate user-space application that interacts with the FPGA subsystem and triggers the integer overflow.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. The official Linux kernel Git repository includes the patched version.