Linux Kernel Off-by-One Error Vulnerability in TI AM335x Touchscreen Driver

An off-by-one error vulnerability has been identified in the TI AM335x touchscreen driver of the Linux kernel. This vulnerability arises from improper validation of the 'wire_order' array, which is used to configure the order of TSC wires. The current validation allows 'wire_order[i]' to equal the size of the 'config_pins' array, leading to out-of-bounds access when the index is used to reference 'config_pins'. Since 'config_pins' contains four elements, the valid range for 'wire_order' should be between 0 and 3. The vulnerability has been addressed by correcting the validation to ensure 'wire_order[i]' is less than the size of 'config_pins'.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing a denial-of-service condition or allowing for arbitrary memory manipulation.

Reproduction

The vulnerability can be reproduced by configuring the 'wire_order' array in the TI AM335x touchscreen driver to include a value equal to the size of the 'config_pins' array. This will trigger the validation error, allowing for out-of-bounds access when the 'wire_order' index is used to access 'config_pins'.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.