Linux Kernel Integer Overflow Vulnerability in MTD Character Driver IOCTLs

A vulnerability allowing integer overflow has been identified in the Linux kernel's MTD character driver, specifically within the read and write IOCTL functions. The issue arises because the 'req.start' and 'req.len' variables, which are 64-bit unsigned integers provided by the user, can be manipulated to cause an overflow. While 'req.len' is masked to a maximum of 32 bits, 'req.start' can reach the maximum value of 64 bits, leading to potential exploitation. The vulnerability has been addressed by using the 'check_add_overflow()' function to prevent such overflow conditions.

Impact

Exploitation of this vulnerability could lead to unintended behavior in the kernel, potentially allowing for memory corruption or other issues related to improper handling of data sizes.

Reproduction

The vulnerability can be reproduced by sending IOCTL requests to the MTD character device that include carefully crafted values for 'req.start' and 'req.len'. The values should be chosen to exploit the integer overflow condition, taking advantage of the fact that 'req.start' can be set to a value close to U64_MAX'.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.