Linux Kernel DAMON Core Out-of-Bounds Memory Access Vulnerability

A vulnerability in the Linux kernel's DAMON (Data Access Monitoring) core has been addressed. Users could set the 'damos_quota_goal->nid' value arbitrarily for 'node_memcg_{used,free}_bp', leading to unvalidated data being used in 'NODE-DATA()'. This lack of validation could cause out-of-bounds memory access. The issue can be reproduced with the DAMON user-space tool (damo) by creating a cgroup and starting a DAMON action that targets an invalid node ID, which then triggers a kernel paging request error.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, causing a kernel paging request error and potentially allowing for memory corruption or other unintended behavior.

Reproduction

To reproduce this vulnerability, create a new cgroup and use the DAMON user-space tool (damo) to start a monitoring action. Set the 'damos_quota_goal->nid' to an invalid value, such as -1, for the 'node_memcg_used_bp' metric. This will trigger the vulnerability by causing the kernel to attempt to access memory at an invalid address, resulting in a paging request error.

Remediation

The vulnerability has been fixed by adding validation for the node ID in the DAMON quota goal. Users should update to the latest version of the Linux kernel where this fix has been applied.