Linux Kernel IOMMU User Fault Injection Overflow Vulnerability

A vulnerability in the Linux kernel's IOMMU user fault injection handling can lead to incorrect memory page management. This issue arises when a user-provided virtual address (VA) wraps around zero, causing the 'pin_user_pages' function to return zero unexpectedly, due to invalid arguments. The vulnerability allows for the creation of memory pages with a user pointer and size that would mathematically overflow, potentially leading to memory corruption or other unintended behavior.

Impact

Exploitation of this vulnerability can cause memory management errors, such as invalid page pinning, which could disrupt normal operations or lead to memory corruption.

Reproduction

The vulnerability can be reproduced by setting up a memory map with a user virtual address that wraps past zero. This can be done by providing a user pointer and size that, when added together, exceed the maximum value of an unsigned long, causing the address to wrap around. The 'pin_user_pages' function will then return zero, indicating an error, but the warning is triggered due to the invalid address handling.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is available in the Linux kernel stable tree.