Linux Kernel NTB Hardware Switchtec Array Index Out-of-Bounds Vulnerability

An array index out-of-bounds vulnerability has been identified in the NTB hardware switchtec driver of the Linux kernel. This issue arises because the number of memory write look-up tables (MW LUTs) can be configured to exceed safe limits, leading to invalid memory access. The vulnerability has been addressed by adding checks to prevent out-of-bounds access and by notifying users of any invalid configurations.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing a crash or allowing for arbitrary memory manipulation.

Reproduction

The vulnerability can be reproduced by configuring the number of MW LUTs to exceed the maximum allowed value, MAX_MWS. This can be done by adjusting the NTB configuration settings. Once the configuration is set, the driver will attempt to access the memory write sizes array, mw_sizes, using the invalid index, causing an out-of-bounds access.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree to address this vulnerability. The patch can be downloaded from the Linux kernel Git repository.