Linux Kernel ublk Driver Queue Depth Overflow Vulnerability Leading to Out-of-Bounds Memory Access

A vulnerability in the Linux kernel's ublk driver has been identified, where an overflow occurs in the queue depth management of multiqueue ublk devices. The issue arises because the maximum queue depth can be set to 4096, but when this depth is assigned to a ublk device, the calculated queue size can exceed 65535, causing an overflow. This overflow leads to the ublk_get_queue() function referencing an incorrect pointer, allowing for out-of-bounds memory access. The vulnerability has been addressed by extending the queue_size parameter in the ublk_device structure to an unsigned int.

Impact

Exploitation of this vulnerability allows for out-of-bounds memory access, which can lead to memory corruption or arbitrary code execution.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for updating the Linux kernel can be found in the official Linux documentation or through the package manager for your Linux distribution.