Linux Kernel i40e Component Index Validation Vulnerability in Queue Configuration

A vulnerability exists in the Linux kernel's i40e component, specifically within the virtual channel queue configuration function for virtual functions (i40e_vc_config_queues_msg). The issue arises because the function does not properly validate the index of the traffic class being accessed, which can lead to out-of-bounds errors. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause out-of-bounds errors, potentially leading to memory corruption or other unintended behavior in the i40e component.

Reproduction

The vulnerability can be reproduced by enabling the Adaptive Queuing (ADq) feature on a virtual function (VF) managed by the i40e driver. When the VF's queue configuration message is processed, the function will incorrectly validate the index of the traffic class, allowing for out-of-bounds access.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.