Linux Kernel Pstore Kcore Oops Vulnerability via Improper Vmap Usage

A vulnerability in the Linux kernel's pstore implementation can lead to a kernel oops error. This issue arises on devices using the pstore ram backend when the 'cat /proc/kcore > /dev/null' command is executed. The problem is caused by kmap_atomic() incorrectly assuming that low memory pages can be accessed with __va(). This misassumption leads to a data abort error when the virtual address of a low memory page is accessed, causing a kernel oops. The vulnerability is present in Linux kernel versions prior to 5.15.67.

Impact

Exploitation of this vulnerability causes a kernel oops, which is an internal error indicating a problem in the kernel that can lead to a crash or instability.

Reproduction

To reproduce this vulnerability, run the command 'cat /proc/kcore > /dev/null' on a device using the Linux kernel with the pstore ram backend. This will trigger the kernel oops by causing kmap_atomic() to attempt to access low memory pages that are not properly mapped, leading to a data abort error.

Remediation

The vulnerability has been addressed by modifying the vmap() function to include the VM_IOREMAP flag. This change allows the vread() function to skip the ramoops region when reading kcore, preventing the oops error. Users should upgrade to Linux kernel version 5.15.67 or later, where this fix is applied.