Linux Kernel Integer Underflow Vulnerability in Crypto Library's MPI Scatterlist Handling

A vulnerability has been identified in the Linux kernel's crypto library, specifically within the 'mpi_read_raw_from_sgl()' function. This issue arises from an integer underflow when the function subtracts 'lzeros' from the unsigned 'nbytes' parameter. The vulnerability can be triggered if the scatterlist 'sgl' contains more bytes than 'nbytes' and the first 'nbytes + 1' bytes are zero. Under these conditions, the loop processing the scatterlist counts more zeros than 'nbytes', leading to an underflow. This bug was introduced in a previous commit but could not be exploited until a recent change in the key management system's encryption process created the necessary conditions. The exploitation of this vulnerability causes a denial-of-service situation, where the kernel becomes stuck in a loop, resulting in a soft lockup.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the kernel to become unresponsive and generate soft lockup warnings.

Reproduction

To reproduce this vulnerability, invoke a 'KEYCTL_PKEY_ENCRYPT' system call with an 'out_len' parameter greater than 'in_len', while filling the 'in' buffer with zeros. This will prompt the 'crypto_akcipher_sync_prep()' function to generate a scatterlist that meets the vulnerability's requirements, ultimately triggering the integer underflow in 'mpi_read_raw_from_sgl()'.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading can be found in the official Linux kernel documentation.