In the Linux kernel, the following vulnerability has been resolved: parisc: Fix locking in pdc_iodc_print() firmware call Utilize pdc_lock spinlock to protect parallel modifications of the iodc_dbuf[] buffer, check length to prevent buffer overflow of iodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong indentings.
A critical vulnerability exists in the Linux kernel's parisc subsystem, allowing for potential denial-of-service (DoS) or information disclosure. This flaw, stemming from improper locking and buffer handling in the pdc_iodc_print() function, can be triggered by crafted input. Successful exploitation could lead to system instability or the leakage of sensitive data.
Step 1: Trigger Condition: A user or process initiates a call to the pdc_iodc_print() function, likely through a system call or a privileged operation. This function is part of the PA-RISC architecture support in the Linux kernel.
Step 2: Race Condition/Buffer Overflow: Without proper locking, multiple threads or processes could simultaneously attempt to write to the iodc_dbuf[] buffer. This can lead to data corruption, or a buffer overflow if the input data's length is not properly validated.
Step 3: Data Corruption/DoS: If a buffer overflow occurs, it can overwrite adjacent memory regions, potentially corrupting kernel data structures and leading to a system crash (DoS). Data corruption could also lead to unexpected behavior and potentially information disclosure.
Step 4: Information Disclosure (Potential): If the iodc_dbuf[] buffer is used to store sensitive data, a race condition or buffer overflow could allow an attacker to read or overwrite this data, leading to information disclosure.
The vulnerability lies within the pdc_iodc_print() function, responsible for interacting with the firmware on PA-RISC systems. The original code lacked proper synchronization mechanisms (e.g., spinlock) to protect the iodc_dbuf[] buffer from concurrent access. This resulted in a race condition where multiple threads could modify the buffer simultaneously, leading to data corruption or a buffer overflow. Additionally, the code failed to validate the length of data being written to iodc_dbuf[], further exacerbating the risk of a buffer overflow. The fix implemented a pdc_lock spinlock to serialize access to iodc_dbuf[], added length checks to prevent overflows, and removed the problematic iodc_retbuf[] buffer, mitigating the vulnerability.