Linux Kernel Out-of-Bounds Access Vulnerability in BNO055 IMU Driver

A potential out-of-bounds array access vulnerability has been identified in the Linux kernel's BNO055 IMU driver. The issue arises in the 'bno055_get_regmask()' function, where the 'hw_xlate' array was incorrectly iterated over the length of the 'vals' array instead of its own length. This discrepancy could lead to out-of-bounds access, particularly with the 'bno055_gyr_scale' attribute, where the 'vals' array is larger than the 'hw_xlate' array. Although this out-of-bounds access should not occur in practice, as a matching value is expected to be found before exceeding the 'hw_xlate' array's end, the potential for error existed. The vulnerability has been addressed by adding a 'hw_xlate_len' field to the 'bno055_sysfs_attr' structure, ensuring correct iteration over the array's length.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing undefined behavior such as memory corruption or application crashes.

Reproduction

The vulnerability can be reproduced by accessing the 'bno055_gyr_scale' attribute in the BNO055 IMU driver. The 'vals' array for this attribute is larger than the corresponding 'hw_xlate' array, which creates the potential for out-of-bounds access. This can be observed in the 'bno055_get_regmask()' function, where the 'hw_xlate' array is iterated incorrectly, leading to the possibility of accessing memory outside the intended bounds.

Remediation

The vulnerability has been fixed in the Linux kernel by updating the BNO055 IMU driver to correctly manage the 'hw_xlate' array's iteration. Users should apply the latest patches available in the Linux kernel stable tree to address this issue.