Linux Kernel skb Fragments Overflow Vulnerability in WWAN T7XX Driver

A buffer overflow vulnerability has been identified in the Linux kernel's WWAN T7XX driver, specifically in the DPMAIF RX data path. The issue arises because the function t7xx_dpmaif_set_frag_to_skb() adds page fragments to a socket buffer (skb) without verifying whether the total number of fragments has exceeded the maximum allowed. This oversight can lead to an overflow in the skb's fragment array, corrupting adjacent memory and potentially causing kernel crashes or other unpredictable behavior. The vulnerability can be triggered by modem firmware that sends packets with excessive fragments, exploiting the kernel's trust in firmware integrity. The issue has been addressed by implementing a bounds check to ensure the number of fragments does not exceed the maximum limit, preventing the overflow and its associated risks.

Impact

Exploitation of this vulnerability can cause a buffer overflow, leading to memory corruption, kernel crashes, or other undefined behaviors.

Reproduction

The vulnerability can be reproduced by sending packets with excessive fragments through the modem firmware, exceeding the normal protocol limits. This can be done by crafting malicious or buggy firmware that disrupts the expected fragment count, taking advantage of the kernel's lack of validation.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux Git repository. Instructions for downloading the latest stable version can be found on the Linux kernel website.