Linux Kernel WWAN T7XX Port Enumeration Message Length Validation Vulnerability

A vulnerability in the Linux kernel's handling of port enumeration messages in the WWAN T7XX driver can lead to a slab-out-of-bounds read. The issue arises because the function 't7xx_port_enum_msg_handler' uses the 'port_count' field provided by the modem as a loop bound, without verifying that the message buffer contains adequate data. This flaw allows a modem to send a 'port_count' value of 65535 in a 12-byte buffer, causing a read of up to 262140 bytes, which can be exploited to access out-of-bounds memory.

Impact

Exploitation of this vulnerability can lead to a slab-out-of-bounds read, allowing for potential memory disclosure or manipulation.

Reproduction

The vulnerability can be reproduced by sending a port enumeration message with a 'port_count' value of 65535 in a 12-byte buffer. This message will trigger the out-of-bounds read in the 't7xx_port_enum_msg_handler' function.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree to address this vulnerability.