Linux Kernel J721E CSI2RX Media List Corruption Vulnerability

A list corruption vulnerability has been identified in the Linux kernel's media subsystem, specifically within the TI J721E CSI2RX driver. When the function 'ti_csi2rx_start_dma()' fails, the corresponding buffer is marked with an error state but not removed from the DMA queue. This oversight causes the buffer to be processed again in the next iteration, leading to a double removal from the list and subsequent corruption. The issue manifests as a kernel panic, halting the system due to the corrupted list state.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by triggering a failure in the 'ti_csi2rx_start_dma()' function during the DMA callback process. This can be done by simulating an error condition that the function does not handle properly, allowing the buffer to remain in the DMA queue despite the error. When the system attempts to process the buffer in the next iteration, the double removal from the list occurs, causing the corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is '68e5579f4de12207b23c41b44a4c0778b6c2858f', available in the Linux kernel stable tree.