Linux Kernel Buffer Overflow Vulnerability in DMA Tracepoint

A buffer overflow vulnerability has been addressed in the Linux kernel's tracing subsystem, specifically within the dma_map_sg tracepoint. This issue can occur when tracing large scatter-gather lists, particularly with devices like virtio-gpu that create substantial DRM buffers. The vulnerability arises because the tracepoint can exceed the maximum allowed buffer size, leading to a overflow condition. The issue has been resolved by capping the dynamic arrays used by the tracepoint at 128 entries, ensuring that the arrays are only as large as necessary while preventing overflow for larger operations.

Impact

Exploitation of this vulnerability could lead to a buffer overflow, where the performance tracing buffer is exceeded, causing a warning message and potentially allowing for memory corruption.

Reproduction

The vulnerability can be reproduced by tracing the dma_map_sg event with a scatter-gather list that exceeds 1000 entries, such as when virtio-gpu creates large DRM buffers. This can be done using a tool like syzkaller, which has reported the issue.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.