Linux Kernel Buffer Overrun Vulnerability in pt5161l Hardware Monitoring Driver

A buffer overrun vulnerability has been identified in the Linux kernel's pt5161l hardware monitoring driver. The issue arises in the function pt5161l_read_block_data(), where a local buffer is improperly sized. The buffer, declared to hold 24 bytes, can be overflowed by the i2c_smbus_read_block_data() function, which may return up to 32 bytes. This flaw allows devices to send more data than the buffer can handle, leading to a stack overrun. Additionally, the function incorrectly processes positive return values from i2c_smbus_read_block_data() when data lengths do not match expectations, potentially leading to the use of stale or incomplete information.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, which can lead to arbitrary code execution or a crash of the system.

Reproduction

The vulnerability can be reproduced by using a device that returns more than 24 bytes of data through the I2C bus, while the pt5161l driver is active. The driver will attempt to read the data into a buffer that can only hold 24 bytes, causing a stack overrun. This can be done by modifying the driver's I2C read operations to simulate a device that sends excessive data, or by using a real device that behaves in this manner.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patched version is available in the Linux kernel stable tree.