Linux Kernel FFR Register Memory Corruption Vulnerability in Streaming SVE Mode

A vulnerability in the Linux kernel's handling of the FFR predicate register during the saving of SVE state in streaming SVE mode has been identified. The issue arises because the FFR register, which can range from 16 to 256 bits depending on the vector length, is inaccessible in this mode. As a result, the kernel attempts to clear the FFR field in the in-memory context structure using an unconditional 8-byte store. This approach is flawed, as it can either fail to clear the entire field or, in cases where the SME vector length exceeds 64 bytes, corrupt memory immediately following the structure. This vulnerability has led to intermittent memory corruption errors in kernel self-tests, particularly when running the 'fp-stress' kselftest, which triggers kmalloc Redzone corruption messages.

Impact

Exploitation of this vulnerability can lead to memory corruption, specifically overwriting the kmalloc Redzone, which is a protective measure against buffer overflows. This corruption can cause instability in the system, as evidenced by 'kfence splats' and kmalloc Redzone corruption messages during kernel self-testing.

Reproduction

The vulnerability can be reproduced by running the 'fp-stress' kernel self-test on an affected arm64 system with streaming SVE mode enabled. This test will trigger the memory corruption issue by overwriting the kmalloc Redzone, leading to a kmalloc Redzone corruption message.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.