CVE-2025-38585

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()<br /> <br /> When gmin_get_config_var() calls efi.get_variable() and the EFI variable<br /> is larger than the expected buffer size, two behaviors combine to create<br /> a stack buffer overflow:<br /> <br /> 1. gmin_get_config_var() does not return the proper error code when<br /> efi.get_variable() fails. It returns the stale &amp;#39;ret&amp;#39; value from<br /> earlier operations instead of indicating the EFI failure.<br /> <br /> 2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates<br /> *out_len to the required buffer size but writes no data to the output<br /> buffer. However, due to bug #1, gmin_get_var_int() believes the call<br /> succeeded.<br /> <br /> The caller gmin_get_var_int() then performs:<br /> - Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack<br /> - Calls gmin_get_config_var(dev, is_gmin, var, val, &amp;len) with len=64<br /> - If EFI variable is &gt;64 bytes, efi.get_variable() sets len=required_size<br /> - Due to bug #1, thinks call succeeded with len=required_size<br /> - Executes val[len] = 0, writing past end of 65-byte stack buffer<br /> <br /> This creates a stack buffer overflow when EFI variables are larger than<br /> 64 bytes. Since EFI variables can be controlled by firmware or system<br /> configuration, this could potentially be exploited for code execution.<br /> <br /> Fix the bug by returning proper error codes from gmin_get_config_var()<br /> based on EFI status instead of stale &amp;#39;ret&amp;#39; value.<br /> <br /> The gmin_get_var_int() function is called during device initialization<br /> for camera sensor configuration on Intel Bay Trail and Cherry Trail<br /> platforms using the atomisp camera stack.