Linux Kernel ibmasm Heap Over-Read Vulnerability in ibmasm_send_i2o_message Function

A heap over-read vulnerability has been identified in the Linux kernel's ibmasm driver. The issue arises in the ibmasm_send_i2o_message() function, where the byte count for a memory copy operation is calculated based on user-controlled fields in the dot_command_header. This size is not validated against the actual allocated buffer size, allowing a root user to manipulate header fields and cause the function to read approximately 65 KB from the kernel heap, adjacent to the original allocation. This leaked data is then sent to the service processor via memory-mapped I/O. The vulnerability can disrupt synchronization with the service processor by sending an inconsistent message header, according to the commit that introduced the vulnerability.

Impact

Exploitation of this vulnerability leads to a heap over-read, causing the kernel to read and leak memory from the heap into a user-controlled space, which can then be accessed by the attacker.

Reproduction

To reproduce this vulnerability, a root user can send a crafted buffer to the ibmasm_send_i2o_message() function. The buffer should include inflated header fields that increase the reported command size and data size. Once the buffer is sent, the function will use the inflated sizes to perform a memory copy operation that over-reads into adjacent heap memory. This leaked data can then be forwarded to the service processor over MMIO, demonstrating the vulnerability's impact.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.