Linux Kernel dm-flakey Zero Page Corruption Vulnerability

A vulnerability in the Linux kernel's dm-flakey module can lead to corruption of the zero page, causing crashes in various userspace programs. This issue arises when the __blkdev_issue_zero_pages function submits a write bio that points to the zero page. If the dm-flakey module is used with the 'corrupt bio writes' option, it can overwrite the zero page's contents. This is problematic because the GNU C Library (glibc) relies on memory mapped by mmap being zeroed, using it for the calloc function. If the memory is not properly zeroed, calloc will return uninitialized memory. The vulnerability affects the Linux kernel's stable releases.

Impact

Exploitation of this vulnerability can cause crashes in userspace applications that rely on the calloc function, due to the incorrect handling of memory allocation.

Reproduction

To reproduce this vulnerability, load the dm-flakey module with the 'corrupt bio writes' option enabled. Then, use the __blkdev_issue_zero_pages function to zero a range on a block device. This will submit a write bio that points to the zero page. The dm-flakey module will corrupt the zero page's contents, leading to crashes in userspace programs that depend on properly initialized memory.

Remediation

The vulnerability has been addressed in a patch that checks if the page is the zero page and prevents corruption in such cases. This patch is available in the Linux kernel stable releases.