Linux Kernel Slab-Out-Of-Bounds Vulnerability in RAID10 Bitmap Management

A slab-out-of-bounds vulnerability has been identified in the Linux kernel's RAID10 bitmap management. This issue arises when a large number is written to 'md/bitmap_set_bits', causing 'md_bitmap_checkpage()' to return an error due to the page index being equal to or greater than the number of bitmap pages. The error was not properly handled in 'md_bitmap_get_counter()', leading to the out-of-bounds memory access. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a slab-out-of-bounds condition, which can potentially be exploited to overwrite memory and execute arbitrary code.

Reproduction

The vulnerability can be reproduced by writing a large value to the 'md/bitmap_set_bits' sysfs attribute. This action will cause 'md_bitmap_checkpage()' to return an error, indicating that the specified page is out of range. However, the error is not immediately checked in 'md_bitmap_get_counter()', allowing a slab-out-of-bounds condition to occur.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.