Linux Kernel Starfive Crypto Component Buffer Overflow Vulnerability

A vulnerability in the Linux kernel's handling of the Starfive crypto component has been addressed. The issue arose because the return value of the 'sg_nents_for_len' function was improperly assigned to an unsigned long in the 'starfive_hash_digest' function. This misassignment allowed negative error codes to be interpreted as large positive integers, potentially leading to buffer overflow vulnerabilities. The patch adds proper error checking for 'sg_nents_for_len' and ensures that the function returns immediately upon encountering a failure, thereby mitigating the risk of buffer overflows.

Impact

The vulnerability could be exploited to cause a buffer overflow, which may lead to arbitrary code execution or the corruption of memory, depending on the context in which the overflow occurs.

Reproduction

The vulnerability can be reproduced by invoking the 'starfive_hash_digest' function with a source scatter-gather list that results in a negative return value from 'sg_nents_for_len'. This can be achieved by manipulating the input to 'sg_nents_for_len' such that it exceeds the expected length, causing the function to return an error code that is incorrectly interpreted as a positive integer. The absence of the error check allows the function to proceed with an invalid length, creating the conditions for a buffer overflow.

Remediation

Users can apply the latest patches from the Linux kernel stable tree to address this vulnerability. The patched version includes the necessary error checks to prevent negative return values from 'sg_nents_for_len' and to avoid potential buffer overflows.