Linux Kernel Global Out-of-Bounds Vulnerability in DRM/I915 Performance Handling

A global out-of-bounds vulnerability has been identified in the Linux kernel's handling of Intel's DRM/i915 performance counters, specifically within the XEHPC architecture. This issue, which was detected by the Kernel Address Sanitizer (KASAN), involves a read operation that exceeds the allocated memory bounds, potentially leading to memory corruption or unauthorized access to sensitive data. The vulnerability arises from arrays passed to the 'reg_in_range_table' not terminating with an empty record, which is necessary for proper range validation. The issue was observed in Linux kernel version 6.4.0, on a system with Intel's Meteor Lake Client Platform.

Impact

Exploitation of this vulnerability can lead to a global out-of-bounds memory access, causing a read operation that exceeds the allocated memory limits. This type of memory corruption can potentially be exploited to manipulate program execution or access restricted memory areas.

Reproduction

The vulnerability can be reproduced by using the 'perf' tool to monitor performance events on a system running the affected version of the Linux kernel. The 'perf' task will trigger the out-of-bounds read in the 'xehp_is_valid_b_counter_addr' function, as the performance counters array does not properly terminate with a sentinel record, causing KASAN to report a global-out-of-bounds error.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. The patch is available in the Linux kernel stable tree.