Linux Kernel Out-of-Bounds Read Vulnerability in Dentry Hash Table

An out-of-bounds read vulnerability has been identified in the Linux kernel's dentry hash table management. This issue arises when the 'dhash_entries' parameter is set to 1, leading to a page fault error. The root cause is a miscalculation in the hash table's bucket allocation, allowing access to unallocated memory regions. The vulnerability affects the dcache component of the Linux kernel.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, which can lead to undefined behavior such as memory corruption or information disclosure.

Reproduction

The vulnerability can be reproduced by setting the 'dhash_entries' parameter to 1. This configuration causes the dentry hash table to allocate only one bucket, while the hash shift value is incorrectly set to 32. As a result, operations that rely on the hash table will attempt to access memory regions that have not been allocated, triggering the out-of-bounds read.

Remediation

The vulnerability has been addressed by modifying the minimum bucket allocation to two, ensuring that the hash shift value does not exceed the bit width of the data type, thus preventing the out-of-bounds access.