Linux Kernel UFS Driver Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the Linux kernel's UFS (Universal Flash Storage) driver. This issue arises during the error handling process when the host sends a device management command (NOP OUT) to recover the link. If the command times out and the doorbell clearing fails, the function 'ufshcd_wait_for_dev_cmd()' returns without resetting the 'dev_cmd.complete' structure to NULL. Consequently, if the command is completed by the device, the completion handler is called, leading to a crash because the completion structure is allocated on the stack.

Impact

Exploitation of this vulnerability causes a kernel panic, crashing the system.

Reproduction

The vulnerability can be reproduced by inducing a timeout in the device management command (NOP OUT) sent from the host to the UFS device for link recovery. This can be done by simulating a delay in the command processing, causing the command to time out before the doorbell clearing operation is completed. Once the command times out and the doorbell clearing fails, the 'ufshcd_wait_for_dev_cmd()' function will return without properly resetting the 'dev_cmd.complete' structure. If the UFS device then completes the command, the vulnerability is triggered, causing a stack-based buffer overflow and a subsequent kernel panic.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.