Linux Kernel Heap Overwrite Vulnerability in RapidIO Driver

A vulnerability allowing a heap overwrite has been identified in the Linux kernel's RapidIO driver. The issue arises in the 'inriocm_cdev_ioctl' function, specifically when handling the 'RIO_CM_CHAN_SEND' command. While the 'cm_chan_msg_send' function properly validates the amount of data received from userspace, the 'riocm_ch_send' function fails to ensure that sufficient data has been provided. This oversight allows 'riocm_ch_send' to write to fields in the 'rio_ch_chan_hdr' header that extend beyond the allocated memory boundaries. The vulnerability has been addressed by modifying 'riocm_ch_send' to verify that the entire header was correctly copied from userspace.

Impact

Exploitation of this vulnerability could lead to a heap overwrite, potentially allowing for arbitrary code execution or other malicious actions.