Linux Kernel Buffer Overflow Vulnerability in Xen-Related Sysfs File

A buffer overflow vulnerability has been identified in the Linux kernel within the Xen hypervisor interface. This issue arises in the sysfs file '/sys/hypervisor/properties/buildid', which contains a binary build ID from the hypervisor that is not properly null-terminated. The kernel driver uses 'sprintf' to write this data to a user-readable buffer, leading to a potential out-of-bounds read. In some cases, this could even allow writing past the 4KB sysfs buffer limit, possibly overwriting kernel memory or leaking sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, denial-of-service conditions, and potentially allow privilege escalation within the affected Linux Xen domain.

Reproduction

The vulnerability can be reproduced by accessing the '/sys/hypervisor/properties/buildid' sysfs file in a Linux Xen domain running a vulnerable kernel version. The build ID will be read by the 'buildid_show' function, which uses 'sprintf' to copy the data into a buffer. Since the build ID is binary and not null-terminated, this can cause a buffer overflow by reading past the intended data.

Remediation

The vulnerability has been patched in the Linux kernel. The patch is available in the official Linux Git repository.