CVE-2022-50756

Root

Cause

The nvme-pci driver in the Linux kernel contains a mempool allocation size bug when computing the number of PRP (Physical Region Page) entries needed for I/O [1]. The calculation converted the maximum transfer size to bytes incorrectly, causing the divisor to undercount the worst-case number of PRP entries [1]. This miscalculation led the driver to allocate space for only one PRP list when two could be required, resulting in a heap buffer overflow beyond the mempool's provided memory [1].

Exploitation

Conditions

The vulnerability is unlikely to be triggered under typical workloads. It requires a 4MB I/O that is split across exactly 127 physical segments on a queue that does not support SGL (Scatter Gather List) [1]. In such a scenario, the driver's PRP list count would be off by one, writing past the allocated mempool region [1]. No special privileges are needed; an unprivileged user or process that can submit large, physically fragmented block I/O could trigger the condition.

Impact

When triggered, the overflow corrupts kernel heap memory beyond the intended mempool buffer [1]. This memory corruption has been observed by KFENCE (Kernel Electric-Fence) during testing [1]. An attacker who can reliably create the required I/O pattern could leverage the corruption to crash the system (denial of service) or potentially escalate privileges, depending on adjacent heap layout.

Mitigation

The fix converts the maximum size to bytes before division, ensuring the worst-case PRP count is correctly computed and that enough mempool entries are allocated [1]. The patch has been applied to the stable kernel tree [1]. Users should update to a kernel version containing the commit c89a529e823d or the equivalent backport.