CVE-2023-54168

Vulnerability

Overview

In the Linux kernel's RDMA/mlx4 driver, the function set_user_sq_size() does not properly validate the ucmd->log_sq_bb_count value before using it in a shift operation. Since log_sq_bb_count is controlled by the user, the shift can overflow, leading to undefined behavior. This issue mirrors a previously fixed vulnerability in the RDMA/hns driver (commit 515f60004ed9).

Exploitation

An attacker with local access and the ability to invoke the affected IOCTL can supply a crafted log_sq_bb_count value to trigger the shift wrapping. No additional privileges are required beyond the ability to interact with the RDMA subsystem, which may be accessible to unprivileged users depending on system configuration.

Impact

Successful exploitation could result in incorrect memory calculations or other undefined behavior, potentially leading to system crashes or privilege escalation. The exact impact depends on the surrounding code context, but shift wrapping can cause out-of-bounds memory access or other memory corruption issues.

Mitigation

The vulnerability was fixed in Linux kernel stable releases by using check_shl_overflow() to prevent the shift from wrapping. Users should update to kernels containing the fix, such as those including commit [1] for the RDMA/mlx4 driver.