Linux Kernel efivarfs Slab-Out-Of-Bounds Vulnerability in Dentry Comparison

A slab-out-of-bounds vulnerability has been identified in the Linux kernel's efivarfs file system, specifically in the dentry comparison function. This issue, present in kernel version 6.6 and the main branch, arises when the length of a dentry's name is less than the expected GUID length, allowing for negative values and subsequent out-of-bounds memory access. The vulnerability can be exploited through parallel lookups using invalid filenames, leading to potential memory corruption.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds memory access, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by performing parallel lookups in the efivarfs file system with invalid filenames that trigger the condition where the dentry name length is less than the expected GUID length. This can be done by initiating multiple lookup operations simultaneously, using filenames that do not conform to the expected format, which will result in an invalid dentry being added to the hash list. The invalid dentry can then be retrieved and compared, causing the out-of-bounds access.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Archive.