Linux Kernel SCSI QLA2XXX Payload Size Vulnerability in Frame Copy Functions

A vulnerability in the Linux kernel's SCSI QLA2XXX driver can lead to a member overflow. This issue arises in the functions 'qla27xx_copy_fpin_pkt()' and 'qla27xx_copy_multiple_pkt()', where the frame size reported by the firmware is used to determine the copy length into a fixed-size 64-byte array in the 'purex_item' structure. If the reported frame size exceeds 64 bytes, it causes a buffer overflow by overwriting adjacent memory. Although this may not immediately crash the system, it creates an unstable condition that could be exploited, especially with the added risk of triggering warnings under 'CONFIG_FORTIFY_SOURCE'. The vulnerability has been addressed by modifying the code to limit the copy length to 64 bytes, ensuring that all data transfers remain within the safe boundaries of the designated structure member.

Impact

Exploitation of this vulnerability can lead to memory corruption by overwriting adjacent memory areas, potentially causing unpredictable behavior in the system or application.

Reproduction

The vulnerability can be reproduced by using a QLogic Fibre Channel HBA that supports the QLA2XXX driver. When the firmware reports a frame size greater than 64 bytes, the 'qla27xx_copy_fpin_pkt()' or 'qla27xx_copy_multiple_pkt()' functions will be called. The functions will attempt to copy the data into the 'iocb' member of the 'purex_item' structure without proper validation, leading to a buffer overflow.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux documentation.