HIGH
rdma umad DataLen Overflow
CVE-2026-23243
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80
02KernelScan AI Analysis
Risk summary
Local attackers with InfiniBand device access can trigger kernel memory corruption through integer underflow in MAD header size calculations. This can lead to system crashes or potential privilege escalation on systems with InfiniBand hardware.
Vulnerability analysis
The ib_umad_write function computes data_len by subtracting user-controlled header sizes from the total count. When headers exceed the count, signed integer underflow occurs, creating a large positive value that causes excessive padding calculations in alloc_send_rmpp_list(), triggering out-of-bounds memset operations. The fix adds overflow-safe subtraction checking and proper type handling to prevent the underflow condition.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | 1371ef6b1ecf |
| 5.15 | 5.15.202 | 362e45fd9069 |
| 6.1 | 6.1.165 | 6eb2919474ca |
| 6.12 | 6.12.75 | 9c80d688f402 |
| 6.18 | 6.18.14 | 205955f29c26 |
| 6.19 | 6.19.4 | 52ab82cc5cf8 |
| 6.6 | 6.6.128 | a6a3e4af1099 |
| mainline | 7.0 | 5551b02fdbfd |