In the Linux kernel, a crucial vulnerability has been resolved concerning access beyond the end of the drmem array in powerpc/pseries/memhp. This resolution addresses a potential security bug that could lead to a potential crash of the system if exploited.

The vulnerability was found in the dlpar_memory_remove_by_index() function, which may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array.

The debug message at the end of the function then dereferences this pointer

        pr_debug("Failed to hot-remove memory at %llx\n",
                 lmb->base_addr);

This issue was found by inspection and confirmed with KASAN

Original reference: KASAN report

Exploit Details

  pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in dlpar_memory+x298/x1658
  Read of size 8 at addr c000000364e97fd by task bash/949

To rectify this issue, the solution involves logging failed lookups with a separate message and dereferencing the cursor only when it points to a valid entry.

The patch addressing this vulnerability can be viewed here.

It is important to apply this fix as soon as possible to ensure that the Linux kernel is patched against this vulnerability. Applying the patch can help prevent system crashes and potential exploitation by malicious actors.

Remember to stay updated on the latest security vulnerabilities and patches to ensure your systems are secure and protected.

Timeline

Published on: 02/22/2024 17:15:08 UTC
Last modified on: 03/18/2024 18:33:31 UTC