CVE-2025-68763

Vulnerability

In the Linux kernel's crypto subsystem, the StarFive driver's starfive_hash_digest function assigns the return value of sg_nents_for_len to an unsigned long. When sg_nents_for_len returns a negative error code (e.g., -EINVAL), this code is implicitly converted to a large positive integer due to unsigned type promotion [1]. This type mismatch arises because the function's return type is int, but the variable storing it is unsigned long.

Exploitation

An attacker could trigger this vulnerability by submitting a hash digest request with malformed or invalid scatter-gather list parameters to the StarFive crypto accelerator. The sg_nents_for_len call would then fail and return a negative value, which after unsigned conversion becomes a huge positive number. This corrupted count could then be used in subsequent operations without proper validation, potentially leading to out‑of‑bounds memory accesses [2]. No special privileges beyond access to the affected crypto device are required; the attack surface is local through the kernel's crypto API.

Impact

Successful exploitation could allow an attacker to cause a buffer overflow in the kernel's memory space, leading to system instability (denial of service) or, in principle, arbitrary code execution with kernel privileges. The specific impact depends on how the corrupted count is consumed in the message digest processing pipeline [3].

Mitigation

The fix adds explicit error checking for the return value of sg_nents_for_len and immediately returns the error code on failure, preventing the unsigned conversion from occurring. The patch has been applied to the stable Linux kernel branches. No workaround is available; users should update their kernels to the patched version [1].