Linux Kernel QuickI2C ACPI Stack-Out-of-Bounds Vulnerability

A stack-out-of-bounds vulnerability has been identified in the Linux kernel's QuickI2C ACPI implementation, specifically within the intel-thc-hid component. This issue arises because the ACPI _DSD methods return ICRS and ISUB data with an extra trailing byte, leading to a mismatch in the expected length. The vulnerability causes a kernel crash, as reported by the Kernel Address Sanitizer (KASAN), which detected the out-of-bounds stack write. The problem was introduced in version 6.16.0 and has been fixed by adding reserved padding to the QuickI2C ACPI parameter and configuration structures.

Impact

Exploitation of this vulnerability causes a kernel crash due to a stack-out-of-bounds error, which can potentially be exploited to execute arbitrary code in the kernel context.

Reproduction

The vulnerability can be reproduced by invoking the QuickI2C ACPI _DSD methods, which will return ICRS and ISUB data with a trailing byte. This can be done by accessing the relevant ACPI methods through the device interface that utilizes QuickI2C.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.