CVE-2022-29022: 
NixOS vulnerability analysis and mitigation

A buffer overflow vulnerability exists in the razeraccessory driver of OpenRazer up to version v3.3.0 that allows attackers to cause a Denial of Service (DoS) and possibly escalate their privileges via a crafted buffer sent to the matrixcustomframe device. The vulnerability was discovered in April 2022 and patched in OpenRazer version 3.3.0 (CyberArk Research, GitHub PR).

The vulnerability exists in the matrixcustomframe functionality which allows setting colors of device rows. The bug occurs because there is no validation on the rowlength parameter calculated from user-controlled startcol and stopcol values. This allows an attacker to trigger a buffer overflow by providing values that make rowlength exceed the 80-byte size limit of the arguments buffer in the razer_report structure. The vulnerability received a CVSS v3.1 Base Score of 9.8 CRITICAL (NVD).

The vulnerability could allow attackers to cause a Denial of Service by crashing the driver. On systems without FORTIFY_SOURCE protection enabled, the buffer overflow could potentially be leveraged for privilege escalation by chaining with an information leak vulnerability to bypass KASLR and stack canary mitigations (CyberArk Research).

The vulnerability was patched in OpenRazer version 3.3.0 by adding validation checks before the memcpy operation to prevent buffer overflow. Users should upgrade to version 3.3.0 or later. Additionally, having FORTIFY_SOURCE enabled during driver compilation provides protection against exploitation beyond DoS (GitHub PR, CyberArk Research).