Linux Kernel RDMA/siw Immediate Work Request Flush Vulnerability

A vulnerability in the Linux kernel's RDMA/siw component allows for out-of-bounds access to opcode mapping arrays, potentially leading to memory corruption. This issue arises when an undefined opcode value is generated during the flushing of immediate work requests, particularly if the Queue Pair (QP) is in an error state. The flaw was highlighted by a KASAN bug report during NFSoRDMA testing. Additionally, the vulnerability could be exploited by a malicious user to write undefined values to completion queue elements, if the completion queue is memory-mapped to user space.

Impact

Exploitation of this vulnerability causes a global out-of-bounds memory access, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by sending immediate work requests through a Queue Pair (QP) that is intentionally placed in an ERROR state. During this process, the undefined opcode values will trigger the out-of-bounds access in the siw_cq.c and siw_verbs.c files, disrupting the normal operation of the RDMA/siw component.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.