Linux Kernel NVMe Memory Allocation Vulnerability in Key Reading Function

A vulnerability has been identified in the Linux kernel's NVMe driver, specifically in the 'nvme_pr_read_keys' function. This function improperly handles memory allocation based on user-supplied input, which can lead to excessive memory usage. The issue arises because 'nvme_pr_read_keys' accepts a 'num_keys' value from userspace to calculate the size of memory to allocate. Although there is an upper limit of 64K, a malicious or faulty userspace can exploit this by passing a large 'num_keys' value, causing the function to attempt a 4MB allocation. Such a large request triggers a warning in the page allocator, as it exceeds the maximum allowed page order. The vulnerability affects Linux kernel versions prior to 6.19.1.

Impact

Exploitation of this vulnerability can lead to excessive memory allocation, causing warnings in the page allocator and potentially disrupting normal memory management processes.

Reproduction

The vulnerability can be reproduced by invoking the 'nvme_pr_read_keys' function through a block device ioctl command. A large 'num_keys' value can be passed from userspace, which will be accepted by the function without proper validation, leading to the excessive memory allocation.

Remediation

Users can upgrade to Linux kernel version 6.19.1 or later, where this vulnerability has been addressed. Instructions for downloading the latest version can be found on the official Linux kernel website.