HIGH
media adv7842 Array OOB
CVE-2025-71136
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE.
02KernelScan AI Analysis
Risk summary
A local attacker with access to V4L2 video device operations could potentially trigger out-of-bounds memory reads by causing I2C communication failures with the ADV7842 video decoder chip. This could lead to information disclosure or system instability, though exploitation requires specific hardware presence and local device access.
Vulnerability analysis
Root Cause: The adv7842_cp_log_status() function uses return values from cp_read() and hdmi_read() functions directly as array indices without validating that these values are non-negative. These I2C read functions can return -EIO on failure, which when used as an array index would cause out-of-bounds memory access into negative memory regions.
Attack Surface: This vulnerability affects systems with ADV7842 video decoder hardware connected via I2C bus. The vulnerable code path is triggered during status logging operations, which could be invoked through V4L2 (Video4Linux2) device operations. Attack requires local access to trigger V4L2 operations on the affected device.
Fix Mechanism: The patch introduces bounds checking by storing the return values in a temporary variable and validating they are non-negative before using them as array indices. If the read operation fails (returns negative value), an empty string is used instead of attempting array access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.248 | f81ee181cb03 |
| 5.15 | 5.15.198 | f913b9a2ccd6 |
| 6.1 | 6.1.160 | d6a22a4a96e4 |
| 6.12 | 6.12.64 | 60dde0960e3e |
| 6.18 | 6.18.4 | b693d48a6ed0 |
| 6.6 | 6.6.120 | a73881ae085d |
| mainline | 6.19 | 8163419e3e05 |