Linux Kernel GEM Shmem Scatterlist Length Overflow Vulnerability

A vulnerability in the Linux kernel's handling of Graphics Execution Manager (GEM) shared memory objects can lead to a scatterlist length overflow. This issue occurs when a scatterlist table of a GEM shmem object, sized 4 GB or more, is filled with pages from a folio. The scatterlist's unsigned int length attribute may overflow if the total byte length of the allocated pages exceeds 4 GB. Consequently, users may encounter an unexpected and premature termination of the object's backing pages.

Impact

This vulnerability can cause a denial of service by leading to unexpected, premature ends of an object's backing pages, disrupting normal operations.

Reproduction

The vulnerability can be reproduced by creating a GEM shmem object larger than 4 GB and populating its scatterlist with pages allocated from a folio. Monitor the length attribute of the scatterlist, which may overflow and cause premature termination of the object's backing pages.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.