Linux Kernel Memory Corruption Vulnerability in Intel P-Unit IPC Driver

A memory corruption vulnerability has been identified in the Linux kernel's Intel P-Unit mailbox IPC driver. The issue arises because the address of the pointer '&punit_ipcdev' is passed instead of the pointer itself, 'punit_ipcdev', without the ampersand. This misdirection causes the 'complete(&ipcdev->cmd_complete)' function in 'intel_punit_ioc()' to write to an incorrect memory address, leading to memory corruption.

Impact

Exploitation of this vulnerability causes memory corruption, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by loading the Intel P-Unit mailbox IPC driver with the incorrect pointer reference. This can be done by modifying the driver's probe function to pass the address of the pointer instead of the pointer itself when requesting an interrupt. The 'devm_request_irq' function will then write to a wrong memory address, corrupting it.

Remediation

Users can apply the available patch in the Linux kernel stable tree to address this vulnerability. The patch is included in the official Linux kernel repository.