Linux Kernel V4L2 TPG Component Out-of-Bounds Memory Write Vulnerability

A vulnerability in the Linux kernel's V4L2 test pattern generator (TPG) component allows for an out-of-bounds memory write. This issue was identified by syzkaller and is related to the handling of composition sizes in the TPG's plane buffer filling function. The vulnerability arises because the composition size can exceed the capabilities of the format's capture rectangle, leading to a memory write that goes beyond the allocated bounds.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds write, which can potentially lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the V4L2 test pattern generator in a Linux kernel environment. The issue occurs when the TPG component is tasked with filling a video buffer while the composition size is incorrectly set to exceed the allowable limits. This can be automated with a fuzzing tool like syzkaller, which has already demonstrated the vulnerability.