Linux Kernel IPMI Interface Memory Corruption Vulnerability

A memory corruption vulnerability has been identified in the Linux kernel's IPMI message handling component. This issue arises in the 'ipmi_create_user()' function, where an invalid pointer can be created if the corresponding 'intf->intf_num' is not found. The vulnerability occurs because the function incorrectly calls 'atomic_dec()' on this invalid pointer, leading to memory corruption. The problem has been addressed by modifying the function to avoid unnecessary decrements of the user count, particularly when the interface is not in shutdown mode.

Impact

Exploitation of this vulnerability can lead to memory corruption, which may cause undefined behavior in the kernel, potentially allowing for arbitrary code execution or creating a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a scenario where 'ipmi_create_user()' is called with an 'intf_num' that does not correspond to a valid IPMI interface. This will result in the 'intf' pointer being invalid. The function will then call 'atomic_dec()' on the invalid pointer, causing memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.