Linux Kernel Buffer Overflow Vulnerability in SCSI Target Core Configfs

A buffer overflow vulnerability has been identified in the Linux kernel's SCSI target core configuration filesystem. The issue arises in the 'target_lu_gp_members_show' function within 'drivers/target/target_core_configfs.c'. Here, the 'buf' variable, allocated 256 bytes, is written to using 'snprintf'. This method formats several strings, including the HBA name, a slash, the device name, and a newline, potentially exceeding the buffer size. The vulnerability is created because 'snprintf' returns the total bytes that would have been written, which can surpass the 256-byte limit when passed to 'memcpy', leading to a reported buffer overflow error. The vulnerability affects Linux kernel versions prior to the patch included in this commit.

Impact

Exploitation of this vulnerability leads to a buffer overflow, which can commonly result in arbitrary code execution or causing a system crash.

Reproduction

The vulnerability can be reproduced by creating a SCSI target with a large number of devices or with device names that are particularly long. When the 'target_lu_gp_members_show' function is called, the 'snprintf' function will format the HBA name, device name, and additional characters into the 'buf' variable. If the total length of this formatted string exceeds 256 bytes, the buffer overflow will occur.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.