Linux Kernel RISC-V KVM Stack Overrun Vulnerability in Vector CSR Handling

A stack overrun vulnerability has been identified in the Linux kernel's handling of the 'vlenb' Vector Control and Status Register (CSR) for RISC-V architecture within the Kernel-based Virtual Machine (KVM) module. This vulnerability allows userspace to load up to 2048 bits into a stack buffer that is only xlen bits wide, potentially leading to a stack overrun. The issue arises because the size of the data being loaded is not properly checked before it is written to the stack buffer.

Impact

Exploitation of this vulnerability could lead to a stack overrun, which may allow for arbitrary code execution or other unintended behavior by overwriting stack memory.

Reproduction

The vulnerability can be reproduced by loading data into the 'vlenb' Vector CSR from userspace that exceeds the xlen bit stack buffer size. This can be done by creating a KVM virtual machine that runs a RISC-V kernel and then using a userspace program to load data into the 'vlenb' register that is larger than the allowed size.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is available in the Linux kernel stable tree.