HIGH
scsi ibmvfc TargetDiscovery OOB
CVE-2026-31464
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
KernelScan AI6.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.
02KernelScan AI Analysis
Risk summary
IBM Power client LPARs using Virtual Fibre Channel are vulnerable to kernel memory disclosure and denial of service when communicating with a malicious or compromised VIO server. The vulnerability allows reading kernel memory beyond allocated DMA-coherent buffers, which is leaked back to the attacker via Fibre Channel MAD responses. Because the attacker-controlled loop bound is an unbounded 32-bit value, the out-of-bounds read will eventually hit unmapped pages and cause a kernel panic.
Vulnerability analysis
The root cause is missing input validation in ibmvfc_discover_targets_done() where the num_written field from a VIO server response is stored directly in vhost->num_targets without bounds checking against max_targets. This unchecked value is later used as a loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Because num_written is a u32 supplied by the attacker, indices far beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs sent back to the VIO server, leaking kernel memory. Additionally, the unbounded read will traverse unmapped kernel memory, resulting in a kernel panic. The fix clamps num_written to max_targets using min_t() before assignment. The attack surface is limited to IBM Power systems running as client LPARs with virtual Fibre Channel adapters provisioned by a VIO server.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | d842348f8a00 |
| 5.15 | 5.15.203 | a007246cb6c9 |
| 6.1 | 6.1.168 | 394a1cac3c12 |
| 6.12 | 6.12.80 | d1466bf991b2 |
| 6.18 | 6.18.21 | 786f10b1966e |
| 6.19 | 6.19.11 | bae4df0a643f |
| 6.6 | 6.6.131 | 4ed727e35b0a |
| mainline | 7.0 | 61d099ac4a7a |