Linux Kernel Broadcom NAND Controller Out-of-Bounds Access Vulnerability in OOB Write

A vulnerability in the Linux kernel's handling of out-of-band (OOB) data for Broadcom NAND controllers can lead to out-of-bounds read operations. This issue occurs when the OOB buffer length is not a multiple of the word size, causing the write function to improperly read from the source buffer during the final iteration. The vulnerability has been addressed by implementing a length check on the OOB buffer read operations and ensuring that any remaining bytes are filled with a default value before writing to the OOB registers.

Impact

Exploitation of this vulnerability could result in memory corruption due to the out-of-bounds read, potentially leading to undefined behavior or a more severe consequence such as arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using a Broadcom STB NAND controller with an OOB buffer length that is not a multiple of the word size. During the OOB write process, the controller will read past the intended buffer limits, creating an out-of-bounds access.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel's official website.