Linux Kernel ARM Processor CPER Record Buffer Overrun Vulnerability

A vulnerability in the Linux kernel's handling of ARM processor CPER records can lead to a buffer overrun. The issue arises because the kernel does not properly validate the 'section_length' field in these records. When the firmware sends a CPER record with an excessively large section length, the kernel blindly accepts it, resulting in a dump of data that extends far beyond the intended memory area. For example, a record with a section length of over 854 million bytes could cause a significant overflow, dumping excessive data well past the firmware's memory-mapped region. This vulnerability has been addressed by implementing a check to ensure that the section length does not exceed a safe limit, particularly when the ERR_INFO_NUM field indicates a large value.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by overwriting memory and potentially leading to a system crash.

Reproduction

To reproduce this vulnerability, send an ARM processor CPER record with a 'section_length' value that is excessively large, such as 854918320 bytes. The kernel will accept this value without proper validation, causing a memory dump that exceeds the firmware's allocated memory space.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.