Linux Kernel Out-of-Bounds Read Vulnerability in QAT Driver

A vulnerability allowing an out-of-bounds read has been identified in the Linux kernel's Intel QuickAssist Technology (QAT) driver, specifically in versions prior to the patch. The issue arises in the AER-CTR request handling, where the driver improperly manages key sizes. For QAT GEN4 devices, the key size is expected to be rounded up by 16 bytes. However, if this rounding occurs before the key is copied to the driver's internal structure, it can lead to reading beyond the allocated memory for the key. This vulnerability was highlighted by the Kernel Address Sanitizer (KASAN), which reported a global out-of-bounds read by the cryptomgr_test task.

Impact

Exploitation of this vulnerability causes a global out-of-bounds read, where the driver reads data from an invalid memory location. This can potentially lead to information disclosure or other unintended behavior in the kernel.

Reproduction

The vulnerability can be reproduced by using the Intel QAT driver with a QAT GEN4 device. When an AER-CTR request is prepared, the driver will copy the user-provided key into a structure that the firmware can access. If the key size is manually rounded up before this copy, it will exceed the actual size of the key, causing an out-of-bounds read. This scenario can be tested by creating a key that, when rounded up, exceeds the allocated memory, and then initiating a cryptographic operation that triggers the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is available in the Linux stable tree.