Linux Kernel nbpfaxi DMA Engine Memory Corruption Vulnerability in Probe Function

A memory corruption vulnerability has been identified in the Linux kernel's nbpfaxi DMA engine driver. This issue arises in the nbpf_probe() function, where the nbpf->chan[] array, allocated with 'num_channels' elements, is improperly accessed. The probing process inadvertently iterates beyond the allocated array size, leading to memory corruption. The vulnerability is present in the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to memory corruption, which may cause undefined behavior in the kernel, potentially allowing for arbitrary code execution or escalation of privileges.

Reproduction

The vulnerability can be reproduced by triggering the nbpf_probe() function in the nbpfaxi DMA engine driver. This can be done by loading a device that uses this driver, which will invoke the probing process. The memory corruption occurs because the function's loops iterate one element too far, causing the driver to overwrite adjacent memory. The issue is exacerbated when the irqbuf[] array contains error IRQs, as this desynchronizes the loop iterators, leading to further out-of-bounds access.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patch is available in the Linux kernel stable tree.