Linux Kernel Dpaa2 Switch Out-of-Bounds Write Vulnerability

A vulnerability in the Linux kernel's dpaa2 switch driver allows for out-of-bounds writes. The issue arises because the driver does not validate the number of interfaces (num_ifs) obtained from firmware against a maximum limit of 64. This lack of validation can lead to writing past the bounds of a fixed-size array, potentially causing memory corruption. The vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to memory corruption by allowing writes beyond the allocated bounds of an array, which could potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by configuring the dpaa2 switch driver to receive a num_ifs value of 64 or greater from the firmware. This can be done by manipulating the firmware attributes that the driver reads during initialization. Once the driver is loaded with the modified firmware attributes, the lack of validation will allow the driver to write past the array bounds, causing an out-of-bounds write.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.