Linux Kernel Scatterlist Length Calculation Vulnerability in IOV Iteration Extraction

A vulnerability exists in the Linux kernel's handling of scatterlist length calculations when extracting data from kvec and user buffers. This issue, present in versions 6.3 prior to 6.5, can lead to incorrect length calculations that allow an sglist entry to exceed the actual number of bytes in a page. Additionally, when extracting user buffers, the sglist is used as a temporary scratch space for page pointers, which can overlap with existing sglist entries if not managed properly. The vulnerability was introduced in kernel 6.3 and remained unaddressed until the extraction function was revised in version 6.5. The flaw has been documented and tested, with the necessary fix applied in the latest version.

Impact

The vulnerability can cause memory management issues by allowing length calculations to exceed actual data boundaries, potentially leading to memory corruption or leaks.

Reproduction

To reproduce this vulnerability, extract data from a kvec into a scatterlist without proper length validation, allowing the extraction to cross page boundaries. Alternatively, extract user buffers into a scatterlist that already contains elements, causing the scratch buffer for page pointers to overlap with existing entries.

Remediation

Users should update to Linux kernel versions 6.5 or later, where this vulnerability has been fixed.