Linux Kernel Out-of-Bounds Read Vulnerability in Venus Media Driver

A vulnerability in the Linux kernel's Venus media driver can lead to an out-of-bounds read. The issue arises in the event_seq_changed() handler, which processes a variable number of properties from the firmware. The firmware indicates the number of properties, but the payload size is not validated against the actual message length. This lack of validation can cause out-of-bounds memory access if the firmware provides a property count that exceeds the available data, potentially leading to kernel crashes or information leaks. The vulnerability has been addressed by implementing proper validation of the payload size before accessing properties, ensuring that parsing is safely confined within the received message buffer.

Impact

Exploitation of this vulnerability can cause kernel crashes or information leaks by allowing access to memory beyond the intended buffer.

Reproduction

The vulnerability can be reproduced by sending a firmware message to the event_seq_changed() handler that includes a property count exceeding the actual data available in the payload. This can be done by manipulating the firmware to report an incorrect property count, leading the handler to access memory out-of-bounds.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.