Linux Kernel NVMe PCI Slab-Out-Of-Bounds Vulnerability

A slab-out-of-bounds vulnerability has been identified in the Linux kernel's NVMe PCI driver. This issue arises because the 'online_queues' count, which is incremented in 'nvme_init_queue', allows for invalid index access. The vulnerability is present in the stable group of the Linux kernel. The issue can be reproduced by triggering the 'nvme_dbbuf_set' function, which improperly handles queue indices, leading to memory access violations. The vulnerability has been addressed by correcting the index range in the loop that processes queues, ensuring it stays within valid limits and excluding the admin queue.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds memory access, which can lead to undefined behavior, including potential memory corruption or information leakage.

Reproduction

The vulnerability can be reproduced by loading the NVMe PCI driver in a Linux kernel environment. Once the driver is active, the 'nvme_dbbuf_set' function is called, which will process the 'online_queues' indices. Due to the incorrect loop condition, the function will attempt to access memory outside the allocated bounds, triggering the KASAN (Kernel Address Sanitizer) error for slab-out-of-bounds access. This can be observed in the kernel's workqueue, where the 'nvme_reset_work' task is processed, leading to the out-of-bounds read error.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been fixed. The official Linux kernel Git repository contains the latest stable releases.