Linux Kernel Out-of-Bounds Write Vulnerability in clk: rs9 Driver for 9FGV0841

A vulnerability has been identified in the Linux kernel's clk: rs9 driver, specifically related to the handling of the 9FGV0841 chip. The driver fails to allocate enough slots for the clock hardware pointers corresponding to the chip's eight outputs. This oversight can lead to an out-of-bounds write when the driver attempts to use these pointers, potentially corrupting the driver's data and causing a kernel crash, especially when the driver is unloaded or the system is suspended.

Impact

Exploitation of this vulnerability can cause data corruption in the rs9_driver_data structure and adjacent memory, leading to unpredictable behavior. This corruption can sometimes be done silently, without immediately crashing the kernel, but will definitely cause a crash when the driver is unbound or during system suspend.

Reproduction

The vulnerability can be reproduced by loading the clk: rs9 driver with a 9FGV0841 chip. The driver will incorrectly handle the clock hardware pointers, leading to an out-of-bounds write that corrupts the driver's data. This can be observed by monitoring the system's behavior when the driver is unloaded or during a suspend operation, both of which will cause the kernel to crash.

Remediation

The vulnerability has been addressed by increasing the size of the clk_hw pointer array in the rs9_driver_data structure to accommodate the maximum output count of the 9FGV0841 chip. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.