Linux Kernel SCSI qla4xxx Out-of-Bounds Read Vulnerability Due to Missing nlattr Length Check

A vulnerability in the Linux kernel's SCSI qla4xxx driver allows for an out-of-bounds read that could leak sensitive heap data. This issue arises because the driver improperly parses netlink attributes (nlattrs) in several functions without validating their lengths first. A malformed nlattr, such as one with a length of zero, could be exploited to read beyond the intended buffer, potentially disclosing sensitive information.

Impact

The vulnerability could be exploited to read arbitrary memory from the heap, leading to the unintentional disclosure of sensitive data.

Reproduction

The vulnerability can be reproduced by sending a malformed netlink attribute to one of the affected functions in the qla4xxx SCSI driver. This can be done by crafting a netlink message that includes an attribute with an invalid length, such as zero. Once the message is sent, the driver will attempt to parse the attribute without proper validation, resulting in an out-of-bounds read.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is 25feffb3fbd51ae81d92c65cebc0e932663828b3.