Linux Kernel Off-by-One Vulnerability in Tegra194 HTE Mapping Function

An off-by-one vulnerability has been identified in the Linux kernel's handling of the Tegra194 Hardware Translation Engine (HTE) mapping. The issue arises in the function 'tegra_hte_map_to_line_id()', where the comparison of the element ID against the size of the mapping array was incorrect. The original code allowed for an out-of-bounds read by using a 'greater than' comparison, which could be exploited to access invalid memory. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing undefined behavior or allowing for memory corruption.

Reproduction

The vulnerability can be reproduced by invoking the 'tegra_hte_map_to_line_id()' function with an element ID that exceeds the valid range, triggering the out-of-bounds read. This can be done by modifying the function's input parameters to include an invalid element ID, which will cause the function to read beyond the allocated memory for the mapping array.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed. The specific commit fixing this issue is available in the Linux kernel Git repository.