Linux Kernel Mediatek MT8365 I2S DAI Privilege Size Vulnerability

A global out-of-bounds vulnerability has been identified in the Linux kernel's ASoC Mediatek MT8365 I2S Digital Audio Interface (DAI) implementation. This issue arises because the function 'mt8365_dai_set_priv' allocates a specific size to copy private data, but the wrong size is being passed. Instead of using the size of the 'mt8365_afe_private' structure, the function should use the size of the 'mt8365_i2s_priv' structure. This vulnerability was detected by the Kernel Address Sanitizer (KASAN), which reported a global-out-of-bounds error.

Impact

Exploitation of this vulnerability leads to a global out-of-bounds memory access, which can potentially be exploited to cause a denial-of-service condition or to manipulate memory in a way that could lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading the ASoC Mediatek MT8365 PCM driver, which will trigger the 'mt8365_dai_i2s_set_priv' function. This function will then call 'mt8365_dai_set_priv' with the incorrect size parameter, causing the out-of-bounds memory access. The KASAN will report the error, indicating that the vulnerability has been successfully reproduced.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.