Linux Kernel RDMA/UMAD Negative Data Length Vulnerability in IB/UMAD Write

A vulnerability in the Linux kernel's RDMA/UMAD component allows for a negative data length to be calculated in the 'ib_umad_write' function. This issue arises from a mismatch between user-controlled MAD header sizes and RMPP header lengths, leading to a negative 'data_len' value. The vulnerability is present in the Linux kernel stable tree, specifically in versions prior to the latest commit that addresses this issue. When 'data_len' becomes negative, it can cause the padding calculation to exceed the segment size, resulting in an out-of-bounds memory write. This flaw was detected using the Kernel Address Sanitizer (KASAN), which reported a slab-out-of-bounds error.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by sending a user-defined MAD header size that does not match the expected RMPP header length, causing the 'data_len' calculation to become negative. This negative value then triggers an out-of-bounds memory write in the 'alloc_send_rmpp_list' function.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been fixed.