Linux Kernel NTB Hardware Switchtec Shift-Out-of-Bounds Vulnerability

A shift-out-of-bounds vulnerability has been identified in the NTB hardware switchtec driver of the Linux kernel. This issue arises when the number of MW LUTs is set to zero, which can occur depending on the NTB configuration. In such cases, the function 'rounddown_pow_of_two' is applied to an invalid value, leading to undefined behavior. The vulnerability is present in the Linux kernel stable tree.

Impact

The vulnerability can cause undefined behavior due to the improper handling of zero MW LUTs, potentially leading to memory corruption or other unintended consequences.

Reproduction

The vulnerability can be reproduced by configuring the NTB hardware switchtec driver in a way that sets the number of MW LUTs to zero. This can be done by manipulating the NTB configuration settings. Once the driver is loaded with this configuration, the issue will manifest as the driver incorrectly processes the zero value, leading to a shift-out-of-bounds condition.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree, which modifies the NTB hardware switchtec driver to check for valid MW LUT values before applying the 'rounddown_pow_of_two' function. Instructions for downloading the patched version can be found in the Linux kernel Git repository.