Bug 2363343 (CVE-2025-23158) - CVE-2025-23158 kernel: media: venus: hfi: add check to handle incorrect queue size
Summary: CVE-2025-23158 kernel: media: venus: hfi: add check to handle incorrect queue...
Keywords:
Status: NEW
Alias: CVE-2025-23158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-01 14:04 UTC by OSIDB Bzimport
Modified: 2025-05-02 03:27 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-01 14:04:35 UTC 
In the Linux kernel, the following vulnerability has been resolved:

media: venus: hfi: add check to handle incorrect queue size

qsize represents size of shared queued between driver and video
firmware. Firmware can modify this value to an invalid large value. In
such situation, empty_space will be bigger than the space actually
available. Since new_wr_idx is not checked, so the following code will
result in an OOB write.
...
qsize = qhdr->q_size

if (wr_idx >= rd_idx)
 empty_space = qsize - (wr_idx - rd_idx)
....
if (new_wr_idx < qsize) {
 memcpy(wr_ptr, packet, dwords << 2) --> OOB write

Add check to ensure qsize is within the allocated size while
reading and writing packets into the queue.
Comment 1 Avinash Hanwate 2025-05-02 03:19:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050130-CVE-2025-23158-d20a@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.