CVE-2023-54284

Root

Cause

The vulnerability resides in the write_ts_to_decoder() function of the av7110 media driver. The function receives a buffer from user space via ts_play(), where the byte at offset 4 (buf[4]) is controlled by the caller. This value is used in a length calculation: len - (buf[4] + 1) - 4. Without proper validation, a large buf[4] (up to 255) can cause the subtraction to wrap around, resulting in a negative len value passed to av7110_ipack_instant_repack() [1].

Exploitation

Surface

An attacker with the ability to send TS (transport stream) data to the av7110 device — typically requiring local access or the ability to interact with the DVB subsystem — can craft a malicious ts_play() call with a large buf[4] value [1]. The attack does not require elevated privileges beyond the ability to open the device file and write to it. The negative length argument could trigger undefined behavior in the downstream packet processor, potentially leading to memory corruption or a denial-of-service condition.

Impact

Successful exploitation may result in a kernel crash (denial of service) or, depending on how the negative length is interpreted by av7110_ipack_instant_repack(), memory corruption that could be leveraged for further compromise. The advisory notes that it is unclear whether a negative length causes anything "bad" but confirms it is not best practice and the patch prevents the underflow [1].

Mitigation

The fix was applied to the Linux kernel stable trees in commits [1][2][3][4]. Users should update to a kernel version containing the patch. No workaround is available other than limiting local access to the av7110 device.