Linux Kernel Out-of-Bounds Access Vulnerability in Realtek DSA Driver

A vulnerability allowing out-of-bounds memory access has been identified in the Linux kernel's Realtek DSA (Distributed Switch Architecture) driver, specifically within the 'realtek-mdio' interface. This issue arises because the probe function incorrectly assumes that the 'priv' structure has sufficient trailing space to accommodate additional chip data. While the 'realtek-smi' interface properly allocates this space, 'realtek-mdio' does not, leading to potential memory corruption. This flaw has likely gone unnoticed due to an unused buffer in the 'realtek_priv' structure, which inadvertently masked the issue. However, under different memory allocation conditions or with the Kernel Address Sanitizer (KASAN) tool, the corruption becomes evident.

Impact

Exploitation of this vulnerability can lead to memory corruption, with the potential for more severe consequences depending on the specific conditions under which the driver is used.

Reproduction

The vulnerability can be reproduced by loading the Realtek DSA driver with the 'realtek-mdio' interface on a system that uses a memory allocator different from the default one, such as the Barebox bootloader. This combination will expose the out-of-bounds access issue, as the memory corruption will be apparent when the driver is probed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is 'b93eb564869321d0dffaf23fcc5c88112ed62466', which is included in the Linux kernel stable tree.