CVE-2024-53151

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> svcrdma: Address an integer overflow<br /> <br /> Dan Carpenter reports:<br /> &gt; Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data<br /> &gt; structure") from Jun 22, 2020 (linux-next), leads to the following<br /> &gt; Smatch static checker warning:<br /> &gt;<br /> &gt; net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk()<br /> &gt; warn: potential user controlled sizeof overflow &amp;#39;segcount * 4 * 4&amp;#39;<br /> &gt;<br /> &gt; net/sunrpc/xprtrdma/svc_rdma_recvfrom.c<br /> &gt; 488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)<br /> &gt; 489 {<br /> &gt; 490 u32 segcount;<br /> &gt; 491 __be32 *p;<br /> &gt; 492<br /> &gt; 493 if (xdr_stream_decode_u32(&amp;rctxt-&gt;rc_stream, &amp;segcount))<br /> &gt; ^^^^^^^^<br /> &gt;<br /> &gt; 494 return false;<br /> &gt; 495<br /> &gt; 496 /* A bogus segcount causes this buffer overflow check to fail. */<br /> &gt; 497 p = xdr_inline_decode(&amp;rctxt-&gt;rc_stream,<br /> &gt; --&gt; 498 segcount * rpcrdma_segment_maxsz * sizeof(*p));<br /> &gt;<br /> &gt;<br /> &gt; segcount is an untrusted u32. On 32bit systems anything &gt;= SIZE_MAX / 16 will<br /> &gt; have an integer overflow and some those values will be accepted by<br /> &gt; xdr_inline_decode().