Linux Kernel Out-of-Bounds Access Vulnerability in SCSI IBM Virtual Fibre Channel Driver

A vulnerability allowing out-of-bounds memory access has been identified in the Linux kernel's SCSI IBM Virtual Fibre Channel (ibmvfc) driver. This issue arises because a malicious or compromised Virtual I/O (VIO) server can send a 'num_written' value in the 'discover targets' response that exceeds the maximum number of targets allowed. This unchecked value is then used to index into a buffer that is only allocated for the maximum number of targets, leading to access of kernel memory outside the intended bounds. The out-of-bounds data is subsequently sent back to the VIO server, leaking sensitive kernel memory. The vulnerability has been addressed by adding a validation step to ensure that 'num_written' does not exceed the maximum target limit before it is processed.

Impact

Exploitation of this vulnerability allows for unauthorized access to kernel memory, potentially leading to information leakage.

Reproduction

To reproduce this vulnerability, a VIO server must be configured to send a 'discover targets' response with a 'num_written' value that exceeds the 'max_targets' limit. This response should be directed to a system running the affected version of the Linux kernel with the SCSI ibmvfc driver active. Once the response is received, the driver will process the out-of-bounds value, access unauthorized kernel memory, and leak this information back to the VIO server.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.