Linux Kernel NVMe-TCP Transfer Tag Bounds Check Vulnerability

A vulnerability in the Linux kernel's NVMe over TCP implementation allows for out-of-bounds access by misusing the transfer tag (ttag) as an index. This issue arises in the function 'nvmet_tcp_handle_h2c_data_pdu()', where the lack of proper bounds checking on the ttag can lead to accessing invalid memory locations. The vulnerability has been addressed by adding a bounds check to ensure the ttag does not exceed the number of commands in the queue.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing a denial-of-service condition or allowing for arbitrary memory manipulation.

Reproduction

The vulnerability can be reproduced by sending a TCP data PDU with a transfer tag that exceeds the number of commands in the NVMe TCP queue. This can be done by manipulating the ttag value in the data PDU header, bypassing the original bounds checks and causing the NVMe command handler to access invalid memory.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree.