How the CVE Works
The vulnerability exists in the `qaic_validate_req()` function of the Linux kernel’s QAIC accelerator driver. Attackers can trigger an integer overflow via the `qaic_attach_slice_bo_ioctl()` IOCTL handler when processing user-supplied 64-bit unsigned integers (u64). Without proper bounds checking, arithmetic operations on these values can wrap around, leading to memory corruption or out-of-bounds access. This flaw allows local privilege escalation, as unprivileged users can exploit it to gain kernel-level code execution.
DailyCVE Form
Platform: Linux Kernel
Version: QAIC driver (pre-patch)
Vulnerability: Integer Overflow
Severity: Critical
Date: 04/10/2025
What Undercode Say:
Exploitation Analysis
1. Trigger Path:
ioctl(fd, QAIC_ATTACH_SLICE_BO, &user_req); // Malicious u64 values bypass checks
2. Overflow Primitive:
// Missing check_add_overflow() allows wrap-around total_size = req->offset + req->size; // Can overflow if req->offset > U64_MAX - req->size
Protection Measures
1. Patch Verification:
git show $(git grep -l "qaic_validate_req" drivers/accel/qaic/) | grep check_add_overflow
2. Runtime Mitigation:
echo 1 > /proc/sys/kernel/unprivileged_ioctl_restrict Block unprivileged IOCTL
Detection Commands
1. Kernel Module Check:
lsmod | grep qaic Verify vulnerable module load
2. Exploit Attempt Logging:
auditctl -a always,exit -F arch=b64 -S ioctl -F fd=<qaic_device> -k qaic_overflow_monitor
Code Fix Example
// Corrected validation in qaic_validate_req() if (check_add_overflow(req->offset, req->size, &total_size)) return -EINVAL; // Reject overflow-prone requests
References
- Kernel Git Commit: `https://git.kernel.org/…/qaic/commit/?id=…`
- CVSS 4.0 Vector: `CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22001
Extra Source Hub:
Undercode
