Linux Kernel QAIC Acceleration Driver General Protection Fault Vulnerability

A vulnerability in the Linux kernel's QAIC acceleration driver can lead to a general protection fault. This issue arises in the 'find_and_map_user_pages()' function when it processes a DMA transfer request with a length of zero. In such cases, the function fails to allocate a scatter-gather table or initialize the DMA transfer structure, allowing a subsequent function to access an uninitialized table and cause a fault. The vulnerability also occurs if the device incorrectly signals the continuation of a transfer after it has completed, under the same conditions.

Impact

Exploitation of this vulnerability causes a general protection fault, leading to a crash of the affected process or system.

Reproduction

To reproduce this vulnerability, send a DMA transfer request with a length of zero to the 'find_and_map_user_pages()' function. Alternatively, trigger the device to send a continuation request after all bytes have been transferred, while ensuring that the 'xferred_dma_size' matches the requested transaction size. This will cause the function to return zero without proper resource allocation, allowing an access to an uninitialized scatter-gather table and resulting in a general protection fault.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation or through the package management system of the Linux distribution in use.