Linux Kernel Integer Overflow Vulnerability in AtomISP Media Component

A vulnerability allowing integer overflow has been identified in the Linux kernel's AtomISP media component, specifically within the 'sh_css_set_black_frame()' function. This issue arises because the 'height' and 'width' parameters are user-supplied, creating a risk that their multiplication could exceed the maximum value representable, leading to an overflow.

Impact

Exploitation of this vulnerability could lead to memory allocation errors, where the intended size is not correctly allocated due to the overflow, potentially causing out-of-bounds memory access or other memory corruption issues.

Reproduction

The vulnerability can be reproduced by invoking the 'sh_css_set_black_frame()' function with carefully crafted 'height' and 'width' values that, when multiplied together, exceed the maximum integer value. This can be done by creating a stream that passes these values to the function, exploiting the lack of validation on user input.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is '3ad290194bb06979367622e47357462836c1d3b4', which is available in the Linux kernel stable tree.