HIGH
svcrdma PageIndex OOB
CVE-2025-71068
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.6HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page.
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger out-of-bounds memory access in the kernel's SUN RPC over RDMA server by sending crafted RPC messages with multiple Read chunks. This can lead to information disclosure, limited memory corruption, or system crashes on servers running NFS over RDMA or other RPC-over-RDMA services.
Vulnerability analysis
The vulnerability occurs in svc_rdma_copy_inline_range() where rc_curpage is used as an array index into rqstp->rq_pages without bounds checking against rqstp->rq_maxpages. An attacker can craft RPC-over-RDMA messages that cause rc_curpage to exceed the allocated page array size, leading to an out-of-bounds read of a page pointer and a subsequent write to an uncontrolled kernel address. The fix adds a bounds check before array access and returns -EINVAL if the index is out of range. This is network-reachable through RPC-over-RDMA services and requires no authentication.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.198 | a22316f5e9a2 |
| 6.12 | 6.12.64 | 5f140b525180 |
| 6.18 | 6.18.3 | da1ccfc4c452 |
| 6.6 | 6.6.120 | 7ba826aae1d4 |
| mainline | 6.19 | d1bea0ce35b6 |