Linux Kernel SCSI QLA2XXX Driver Array Index Out-of-Bounds Vulnerability

A vulnerability in the Linux kernel's SCSI QLA2XXX driver can lead to an array index going out of bounds. The issue arises because the array 'vha->host_str', which has a size of 16, may be accessed using index values 16 to 19. This vulnerability has been addressed by modifying the code to use 'snprintf()' instead of 'sprintf()' to prevent potential buffer overflows.

Impact

Exploitation of this vulnerability could lead to buffer overflow issues, where the array index exceeds its allocated size, potentially causing memory corruption or other unintended behavior in the kernel.

Reproduction

The vulnerability can be reproduced by creating a SCSI QLA2XXX host and triggering the code path that writes to the 'vha->host_str' array. This can be done by loading the QLA2XXX driver with a configuration that initializes the host structure, which will then use 'sprintf()' to write the host information into the 'host_str' array. The Klocwork static analysis tool can also be used to identify the out-of-bounds access by reporting that the index value can exceed the array size.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree. The specific commit addressing this vulnerability is 'd721b591b95cf3f290f8a7cbe90aa2ee0368388d', which can be downloaded as part of the Linux kernel stable release.