Linux Kernel Out-of-Bounds Vulnerability in DVB-USB DTV5100 I2C Message Handling

A vulnerability allowing out-of-bounds memory access has been identified in the Linux kernel's handling of I2C messages for the DVB-USB DTV5100 device. The issue arises because the 'rlen' value, which is controlled by the user, is not properly validated before being used. If 'rlen' is set to a value greater than the size of the destination buffer, it can lead to memory corruption by overwriting adjacent memory. This vulnerability has been addressed by adding appropriate range checks to ensure the 'rlen' value does not exceed the buffer size.

Impact

Exploitation of this vulnerability can lead to out-of-bounds memory access, potentially causing memory corruption.

Reproduction

The vulnerability can be reproduced by sending a user-controlled 'rlen' value that exceeds the size of the destination buffer in the 'dtv5100_i2c_msg' function. This can be done by manipulating the I2C message handling for the DVB-USB DTV5100 device.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.