When the attacker carefully constructs the network packet to reach the above path, it will execute scatterwalk_copychunks(walk->src.virt.addr, &walk->in, bsize, 0); At this time, the calculated address is 0xdffffc0000000001, which is an invalid kernel address. Accessing this address will panic the kernel, bringing the system crash.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2250069]
This was fixed for Fedora with the 6.5.4 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138