Linux Kernel GPIO Fan Driver Array Out-of-Bounds Access Vulnerability

A vulnerability in the Linux kernel's GPIO fan driver allows for array out-of-bounds access. The issue arises because the driver does not validate the cooling state input to the 'gpio_fan_set_cur_state()' function, potentially exceeding the maximum allowed value stored in 'fan_data->num_speeds'. This unchecked state is later used as an index in 'set_fan_speed()', leading to out-of-bounds memory access. Exploitation can cause a kernel oops by accessing unavailable memory, as demonstrated by a reported internal error involving a level 1 translation fault.

Impact

Exploitation of this vulnerability causes a kernel oops by accessing invalid memory, leading to a crash.

Reproduction

The vulnerability can be reproduced by writing an arbitrary value to the 'cur_state' attribute of a thermal cooling device managed by the GPIO fan driver. This value can exceed the maximum cooling state, causing the driver to access memory out of bounds, which triggers the kernel oops.