CVE-2023-53748

Vulnerability

CVE-2023-53748 is a vulnerability in the Linux kernel's Mediatek video codec driver (media: mediatek: vcodec). In the decoder's queue_setup function, the *nplanes value is supplied by a user-mode process via a system call argument. The driver uses this value to index into an array of plane format descriptors (q_data->fmt->num_planes). While the valid range of q_data->fmt->num_planes is 1 to 3, *nplanes can be set to any value between 1 and 8. When the index i iterates from 0 to *nplanes-1, it can exceed the actual array size, causing an out-of-bounds access beyond the allocated storage.

Exploitation

Exploitation requires the ability to invoke the media decoder's VIDIOC_CREATE_BUFS or similar ioctl that triggers queue_setup with a crafted *nplanes argument. The attacker must have the necessary privileges to interact with the video codec device node—typically accessible to local users with appropriate group memberships or root. No special hardware is needed beyond a Mediatek-based platform running the vulnerable kernel. The out-of-bounds access occurs in the kernel address space.

Impact

A successful out-of-bounds write can corrupt adjacent kernel memory, which may lead to a denial of service (system crash) or potentially privilege escalation if the attacker can control the written data. The exact impact depends on the memory layout and kernel hardening (KASLR, SMAP, etc.). The vulnerability is classified as a medium severity memory safety issue.

Mitigation

The fix, introduced in the Linux kernel stable updates, adds a check that verifies *nplanes does not exceed ARRAY_SIZE() of the plane array and returns an error (-EINVAL) if it does [1]. All users should apply the latest stable kernel patches containing this commit (48e4e06e2c5f or equivalent). No workaround is available; updating the kernel is the recommended remediation.