User can specify a smaller meta buffer than what the device is wired to update/access. Kernel makes a copy of the meta buffer into which the device does DMA. As a result, the device overwrites the unrelated kernel memory, causing random kernel crashes. References: https://lore.kernel.org/linux-nvme/20231013051458.39987-1-joshi.k@samsung.com/T/#u https://lore.kernel.org/linux-nvme/20231016060519.231880-1-joshi.k@samsung.com/T/#u
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2250839]
Is this really considered "high"? From the discussion thread: > BTW, don't you still need someone with root access to change the > permissions on the device handle in order for an unpriveledged user to > reach this hole? It's not open access by default, you still have to > opt-in. > > Yes, you need someone with root access to change the device node > persmissions. But we allowed that under the assumption it is safe > to do so, which it turns out it is not. So by default the access is still not enabled out of the box.
In reply to comment #4: > Is this really considered "high"? From the discussion thread: > > > BTW, don't you still need someone with root access to change the > > permissions on the device handle in order for an unpriveledged user to > > reach this hole? It's not open access by default, you still have to > > opt-in. > > > > Yes, you need someone with root access to change the device node > > persmissions. But we allowed that under the assumption it is safe > > to do so, which it turns out it is not. > > So by default the access is still not enabled out of the box. Seems a valid argument, and Moderate fits quite well: "the types of vulnerabilities that could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, and/or affect unlikely configurations" [1]. Updated CVSS score (AC:H) and downgraded impact, thanks! [1] https://access.redhat.com/security/updates/classification