Linux Kernel HID Multitouch Slab Out-of-Bounds Access Vulnerability

A slab out-of-bounds access vulnerability has been identified in the Linux kernel's HID multitouch driver. This issue arises in the 'mt_report_fixup()' function, where the driver processes report descriptors from HID devices. If a malicious HID device sends a report descriptor smaller than 607 bytes, it can trigger the out-of-bounds access. The function attempts to modify byte offset 607 by first checking if it equals 0x15, but it fails to verify whether the descriptor is sufficiently large before performing this check. As a result, the vulnerability can be exploited by sending a smaller report descriptor, leading to memory corruption.

Impact

Exploitation of this vulnerability causes a slab out-of-bounds access, which can lead to memory corruption. The Kernel Address Sanitizer (KASAN) reported this out-of-bounds access, indicating a read of size 1 from an invalid memory address, which is a common pattern in exploitation scenarios that can lead to arbitrary code execution or information leakage.

Reproduction

The vulnerability can be reproduced by using a malicious HID device that sends a report descriptor smaller than 607 bytes. This can be done by crafting a HID report descriptor that intentionally violates the size requirement. Once the device is connected to a system running an affected version of the Linux kernel, the 'mt_report_fixup()' function will be triggered, leading to the out-of-bounds access.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The official Linux kernel Git repository contains the fixed version. Instructions for downloading the patched kernel can be found in the Linux kernel documentation.