CVE-2022-50717

Vulnerability

Analysis

The Linux kernel's NVMe over TCP target (nvmet-tcp) is vulnerable to an out-of-bounds memory access due to a missing bounds check on the Transfer Tag (ttag) field. The nvmet_tcp_handle_h2c_data_pdu() function uses ttag as an index to retrieve a command structure from an array, but no validation ensures that the index stays within the allocated array bounds [1][2][3].

Attack

Vector

An attacker with network access to a system running the vulnerable nvmet-tcp target can craft a malicious NVMe/TCP H2C (Host-to-Controller) Data PDU with a crafted ttag value. The attack is performed remotely over the TCP connection and does not require authentication, as the nvmet-tcp target accepts PDUs from any client on the network.

Impact

Successfully exploiting this vulnerability allows the attacker to trigger an out-of-bounds read or write in kernel memory. This can lead to information disclosure (leaking sensitive kernel data) or a system crash (denial of service). In some configurations, it may be possible to escalate privileges or achieve remote code execution.

Remediation

The fix adds a bounds check to ensure ttag is within the valid range before using it as an array index. The patch has been applied to the Linux kernel stable branches and is available in the referenced commits [1][2][3]. Users should update their kernel to the latest stable release containing the fix.