Linux Kernel iavf Driver Out-of-Bounds Vulnerability in Channel Management

A vulnerability allowing out-of-bounds memory access has been identified in the Linux kernel's iavf driver. This issue arises when the number of channels is set higher than allowed during the removal of a virtual function (VF). If the operation times out and returns an error, it inadvertently modifies the 'num_active_queues' variable. This can lead to an out-of-bounds condition, as 'num_active_queues' may exceed the actual number of allocated transmission and reception rings. The vulnerability has been addressed in versions through 4.18.0.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by creating a script that allocates virtual functions on a PCI device, then removes one of the virtual functions while simultaneously setting the channel count to an invalid value. This process triggers a timeout, causing an error that disrupts the normal queue management, ultimately leading to the out-of-bounds condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.