Linux Kernel NVMe over TCP Driver Bounds Check Vulnerability

A vulnerability in the Linux kernel's NVMe over TCP target driver could lead to a general protection fault or a use-after-free error, as detected by the Kernel Address Sanitizer. The issue arises in the 'nvmet_tcp_build_pdu_iovec' function, which can improperly access scatter-gather list entries when the Protocol Data Unit (PDU) length or offset exceeds the available entries. This mismanagement can cause the function to read invalid length or offset values, disrupting memory operations and potentially leading to memory corruption.

Impact

The vulnerability can cause a use-after-free error or a general protection fault, both of which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by sending a PDU over NVMe over TCP that exceeds the scatter-gather list's bounds. This can be done by manipulating the PDU length or offset to exceed the available entries in the scatter-gather list, causing the 'nvmet_tcp_build_pdu_iovec' function to read invalid memory values.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.