Linux Kernel QCOM PD-Mapper Element Length Mismatch Vulnerability

A vulnerability in the Linux kernel's QCOM PD-mapper implementation has been addressed. The issue arose because the declared element length in the 'servreg_loc_pfr_req_ei' structure did not align with the corresponding 'reason' field in the 'servreg_loc_pfr_req' structure. This mismatch led to a decoding error, causing a crash in the PD. The problem was identified in the QMI string decoding, where a string length of 81 exceeded the maximum allowed length of 65. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability could lead to a denial-of-service condition by causing a process to crash, disrupting normal operations.

Reproduction

The vulnerability can be reproduced by sending a QMI message that includes a 'servreg_loc_pfr_req' with a 'reason' field exceeding the maximum length. This will trigger a decoding error in the PD-mapper implementation, causing a crash.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.