Linux Kernel Crypto CCP ID Copy Userspace Overflow Vulnerability

A vulnerability in the Linux kernel's crypto component, specifically within the CCP driver, has been addressed. The issue arose when the kernel attempted to copy an ID blob to userspace after a firmware command failed. If the failure was due to an invalid length—meaning the userspace buffer was too small—this could lead to a buffer overflow, allowing data to leak into userspace. The vulnerability was identified as a 'slab-out-of-bounds' error by the Kernel Address Sanitizer (KASAN), indicating a memory safety issue where the kernel read beyond the allocated buffer size.

Impact

Exploitation of this vulnerability could result in a buffer overflow, causing a memory safety violation that leaks kernel memory into userspace. Such memory leaks can potentially be exploited to execute arbitrary code or cause other unintended behavior.

Reproduction

The vulnerability can be reproduced by invoking the SEV_GET_ID2 command through the CCP driver. If the firmware command fails due to an invalid length, the kernel will incorrectly attempt to copy the ID blob to a userspace buffer, leading to a buffer overflow. This can be observed by monitoring the KASAN reports, which will indicate a 'slab-out-of-bounds' error, showing that the kernel has read beyond the limits of a allocated memory buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.