CVE-2023-54325

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.2.0-rc1+ #45

Description The Linux kernel's crypto QAT driver contains a flaw related to out-of-bounds read access. Specifically, when preparing an AER-CTR request, the driver copies a key provided by a user into a data structure accessible to the firmware. If the target device is QAT GEN4, the key size is rounded up to the nearest multiple of 16. Performing this rounding before the copy operation can lead to the driver attempting to copy more data than the allocated buffer size, resulting in an out-of-bounds read. This issue was identified through Kernel Address Sanitizer (KASAN) reporting. The vulnerable code is located in the qat alg skcipher init com.isra.0 function, which is called during the initialization of the skcipher session via qat alg skcipher init sessions and crypto skcipher setkey. The memcpy function is used to copy the key, and the size parameter is derived from the rounded-up key length.

Recommendations Update to Linux kernel version 6.2.0-rc1+ #45 or a later version to address this issue.