Linux Kernel Out-of-Bounds Read/Write Vulnerability in DRM/I915 GEM

A vulnerability in the Linux kernel's DRM/I915 GEM subsystem allows for out-of-bounds read or write operations in adjacent memory areas. This issue arises because the 'len' attribute is not properly validated before a memory copy operation, potentially leading to memory access violations. The vulnerability has been observed to cause a page fault error, indicating an attempt to access a non-present page in kernel mode.

Impact

Exploitation of this vulnerability can lead to out-of-bounds memory access, causing a page fault error and disrupting normal kernel operations.

Reproduction

The vulnerability can be reproduced by triggering the 'vm_access' function in the DRM/I915 GEM subsystem with an unvalidated 'len' attribute. This can be done by creating a scenario where the 'len' value exceeds the intended bounds, allowing for an out-of-bounds memory access during the 'memcpy' operation. The resulting memory access violation will cause a page fault error, indicating that the kernel attempted to read from a non-present page.