Linux Kernel Buffer Overflow Vulnerability in iSCSI Target NACL Info Display

A buffer overflow vulnerability has been identified in the Linux kernel's iSCSI target implementation. The issue arises in the function 'lio_target_nacl_info_show()', which uses 'sprintf()' in a loop to output details for each iSCSI connection within a session. This approach fails to validate the buffer length, creating a risk of overflowing the buffer supplied by configfs and potentially corrupting memory. The vulnerability can be exploited by establishing a sufficient number of iSCSI connections to exceed the buffer capacity. The issue affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a buffer overflow, allowing for memory corruption. Such memory corruption could potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating multiple iSCSI connections in a session. As the 'lio_target_nacl_info_show()' function processes each connection, the lack of buffer length validation in the 'sprintf()' calls can be exploited to overflow the buffer and corrupt memory.

Remediation

Users can upgrade to the patched version of the Linux kernel, which replaces the unsafe 'sprintf()' usage with 'sysfs_emit_at()'. This change ensures proper buffer boundary checks. The specific commit containing the fix can be downloaded from the Linux kernel stable tree.