Linux Kernel Google GVE Driver Buffer Cleanup Vulnerability in QPL Mode

A vulnerability exists in the Linux kernel's Google GVE driver, specifically in the buffer cleanup process for QPL mode. The issue arises in the 'gve_tx_clean_pending_packets' function, which improperly handles buffer deallocation by using the RDA buffer cleanup method. This mismanagement leads to two main problems: first, the DMA array, which is used to store buffer IDs, is misinterpreted when QPL mode is active, causing incorrect memory locations to be unmapped. Second, the 'num_bufs' count in QPL mode can greatly exceed the actual size of the DMA array, resulting in out-of-bounds access errors. These issues were identified through warnings generated by the Undefined Behavior Sanitizer (UBSAN), indicating array index violations.

Impact

Exploitation of this vulnerability can cause out-of-bounds memory access, potentially leading to memory corruption or other undefined behavior.

Reproduction

The vulnerability can be reproduced by activating DQ-QPL mode in the Google GVE driver. When packets are processed, the 'gve_tx_clean_pending_packets' function will incorrectly unmap DMA buffers, leading to out-of-bounds access warnings. This behavior can be observed by monitoring the system for UBSAN warnings related to array index violations, specifically those indicating that the index is out of range for the DMA array.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.