Linux Kernel IAVF Driver Off-by-One Vulnerability in RSS Configuration

A vulnerability exists in the Linux kernel's IAVF driver, specifically in the function responsible for configuring the RSS hash key and lookup table. This vulnerability arises from an off-by-one error that leads to out-of-bounds memory reads and improper writes to device registers. The issue was introduced in a commit that altered the loop's upper boundary, causing it to exceed the valid index range. The vulnerability has been addressed by correcting the loop to use a less-than comparison, ensuring that it does not surpass the designated limits.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds memory access, as reported by KASAN. This type of access can lead to memory corruption or unauthorized manipulation of data.

Reproduction

The vulnerability can be reproduced by using a version of the Linux kernel that includes the faulty RSS configuration logic in the IAVF driver. When the IAVF driver attempts to configure the RSS hash key or lookup table, it will read beyond the allocated memory bounds, triggering a KASAN error about a slab-out-of-bounds access. This can be observed in the kernel's workqueue, specifically during the 'iavf_watchdog_task' processing.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is available in the Linux stable tree.