Linux Kernel Out-of-Bounds Access Vulnerability in Qualcomm VFE Driver

A vulnerability allowing out-of-bounds memory access has been identified in the Linux kernel's Qualcomm Camera Subsystem (QCSS) VFE driver, specifically in the VFE 480 hardware version. The issue arises because the VFE ISR (Interrupt Service Routine) function uses an incorrect loop bound, leading to access beyond the allocated array limits for output lines. This flaw can potentially be exploited to cause memory corruption.

Impact

Exploitation of this vulnerability leads to out-of-bounds memory access, which can commonly result in memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering the VFE ISR for the VFE 480 hardware version. The ISR will incorrectly process indices 4, 5, and 6, which exceeds the bounds of the line array, defined to hold a maximum of 4 lines. This can be observed by monitoring the behavior of the driver when it handles interrupts for the VFE image masters.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Git Repository under the stable branch. The specific commit addressing this vulnerability is 'd965919af524e68cb2ab1a685872050ad2ee933d'.