Linux Kernel IOMMU/AMD Command-Line Parameter Length Limitation Vulnerability

A buffer overflow vulnerability has been identified in the Linux kernel's IOMMU/AMD handling of the 'ivrs_acpihid' command-line parameter. This issue arises because the 'acpiid' buffer in the 'parse_ivrs_acpihid' function lacks a width limitation in the format string used by 'sscanf()', allowing for potential overflow. The vulnerability affects the stable versions of the Linux kernel.

Impact

The vulnerability could lead to a buffer overflow, which may be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by passing an overly long string to the 'ivrs_acpihid' command-line parameter, exceeding the buffer's capacity. This can be done by specifying a string that includes more characters than the 'acpiid' buffer can safely handle, taking advantage of the lack of width limitation in the 'sscanf()' format string.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.