Linux Kernel Mailbox Subsystem Out-of-Bounds Access Vulnerability in fw_mbox_index_xlate Function

A vulnerability in the Linux kernel's mailbox subsystem can lead to out-of-bounds access in the fw_mbox_index_xlate function. This issue arises when the device tree specifies '#mbox-cells' as zero, which is contrary to the expectation that it should be at least one. In such cases, if the corresponding mailbox controller does not provide the fw_xlate or of_xlate function pointers, the fw_mbox_index_xlate function is used by default. This function lacks proper bounds checking, allowing for potential out-of-bounds memory access.

Impact

Exploitation of this vulnerability can cause out-of-bounds memory access, which may lead to memory corruption or unauthorized access to sensitive data.

Reproduction

The vulnerability can be reproduced by creating a device tree entry for a mailbox controller with '#mbox-cells' set to zero. When the kernel processes this device tree, it will use the fw_mbox_index_xlate function without the necessary bounds checks, leading to out-of-bounds access.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for updating the kernel can be found in the official Linux kernel documentation.