Linux Kernel LoongArch KVM Stack Protector Vulnerability in send_ipi_data Function

A stack corruption vulnerability has been identified in the Linux kernel's KVM implementation for the LoongArch architecture. This issue arises in the send_ipi_data function, where the kvm_io_bus_read function is called. The vulnerability occurs because the buffer size of the parameter *val must be at least 8 bytes. Some emulation functions, such as loongarch_ipi_readl and kvm_eiointc_read, write 8 bytes of signed data to the buffer, regardless of the specified length. This behavior can lead to a buffer overflow when the CONFIG_STACKPROTECTOR option is enabled. The vulnerability has been observed to cause a kernel panic, indicating that the kernel stack has been corrupted.

Impact

Exploitation of this vulnerability can lead to a kernel panic, causing a denial of service by abruptly terminating the kernel's normal operations and disrupting any active processes or services.

Reproduction

The vulnerability can be reproduced by enabling the CONFIG_STACKPROTECTOR option in the Linux kernel. Once this option is active, the send_ipi_data function can be called in a KVM environment on a LoongArch system. The function will improperly handle the buffer size for the IPI (Inter-Processor Interrupt) data, leading to a stack corruption issue. This can be verified by observing the resulting kernel panic, which will indicate that the stack protector has detected a corruption, causing the kernel to halt operations as a protective measure.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is 5c68549c81bcca70fc464e305ffeefd9af968287, which is included in the official Linux kernel stable releases.