Linux Kernel null_blk Legacy I/O Path Vulnerability Queue Mode Check Oops

A vulnerability in the Linux kernel's null_blk component can lead to a kernel oops error when the queue mode is set to legacy I/O. This issue occurs in versions through 6.3.0-rc5. The problem arises because the null_blk driver does not properly validate the queue mode configuration, allowing legacy I/O paths that are not supported. When the queue mode is set to legacy, the driver encounters an oops error, which can disrupt system operations.

Impact

Exploitation of this vulnerability causes a kernel oops, leading to a disruption in system operations. The oops occurs because the null_blk driver encounters an invalid state when legacy I/O is enabled, causing a fault that can be logged and potentially investigated as a system error.

Reproduction

To reproduce this vulnerability, load the null_blk module with no devices. Then, create a new null_blk device configuration. Set the memory_backed option to true, specify a block size of 4096 bytes, and allocate a size of 20480 bytes for the device. Crucially, set the queue mode to legacy I/O and power on the device. This sequence of steps will trigger the oops error, demonstrating the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.