Linux Kernel MHI Bus Host Unexpected TRE Pointer Vulnerability

A vulnerability in the Linux kernel's MHI bus host handling has been addressed. The issue arose when a remote device sent a completion event containing a pointer to a Transaction Ring Element (TRE). The host used this pointer to process TREs, but problems occurred if the event pointed to a TRE several elements ahead of the host's read pointer. This could cause the host to access stale data, leading to a double-free error if the channel's transfer callback was used to free the buffer. The vulnerability was particularly problematic with single-element transactions, where the timing of event updates could be exploited.

Impact

The vulnerability could be exploited to cause a double-free error, potentially leading to memory corruption.

Reproduction

The vulnerability can be reproduced by using a remote device that sends completion events with pointers to TREs that are multiple elements ahead of the host's read pointer. This can be done by updating the event ring pointer before the event contents are fully processed, creating a window where the host accesses outdated data.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.