Linux Kernel svcrdma Index Bound Check Vulnerability in Inline Path

A vulnerability exists in the Linux kernel's svcrdma component, specifically within the inline path of the RPC (Remote Procedure Call) protocol. The issue arises because the function 'svc_rdma_copy_inline_range' accesses the request pages index ('rqstp->rq_pages[rc_curpage]') without properly verifying that 'rc_curpage' is within the bounds of the allocated page array. This oversight could potentially lead to out-of-bounds access. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, which may cause undefined behavior, including memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the RPC mechanism with Read chunks that exceed the allocated page array size. This can be done by sending a request that includes a 'rc_curpage' index pointing to a page that is not allocated, thereby bypassing the bounds check and potentially accessing invalid memory.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.