Linux Kernel QMI String Length Restriction Vulnerability in Qualcomm SOC

A vulnerability in the Linux kernel's handling of QMI (Qualcomm Message Interface) string elements can lead to out-of-bounds access. This issue arises in various QMI element info structures that incorrectly account for string lengths, allowing for a null-terminated string of MAX_LEN + 1. When such a string is decoded, the appended NULL character can cause an out-of-bounds access. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to out-of-bounds memory access, which may cause a denial-of-service condition or potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a QMI TLV (Type-Length-Value) message that includes a string element with a length of MAX_LEN + 1. This will trigger the out-of-bounds access during the decoding process, as the decoder will attempt to append a NULL character beyond the allocated buffer, causing a memory access violation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.