CVE-2020-36776 - Fixing the Slab OOB Issue in Linux Kernel's Thermal/Drivers/Cpufreq_Cooling

Recently, a vulnerability in the Linux kernel has been addressed, specifically in the code concerning thermal drivers and CPU frequency cooling. The vulnerability, identified as CVE-2020-36776, involves an out-of-bounds issue found in the cpu_power_to_freq() function. This particular problem can occur when the power is limited below the power of OPP (Operating Performance Points) in the Energy Model (EM) table, resulting in a negative array index and a Slab Out-Of-Bounds (OOB) situation.

In order to fix this issue, the lowest frequency should be returned if the limited power cannot find a suitable OPP in the EM table. The backtrace of the problem, as well as the original code snippet where the issue was scanned by KASAN (Kernel Address Sanitizer), is included below.

Original Code Snippet with Issue

 thermal/drivers/cpufreq_cooling: Fix slab OOB issue

 Slab OOB issue is scanned by KASAN in cpu_power_to_freq().
 If power is limited below the power of OPP in EM table,
 it will cause slab out-of-bound issue with negative array
 index.

 //////////////////////////////////////////////////////////////////////

 [<ffffffd02d2a37f>] die+x104/x5ac
 [<ffffffd02d2a563>] bug_handler+x64/xd
 [<ffffffd02d288ce4>] brk_handler+x160/x258
 [<ffffffd02d281e5c>] do_debug_exception+x248/x3f
 [<ffffffd02d284488>] el1_dbg+x14/xbc
 [<ffffffd02d75d1d4>] __kasan_report+x1dc/x1e
 [<ffffffd02d75c2e>] kasan_report+x10/x20
 [<ffffffd02d75def8>] __asan_report_load8_noabort+x18/x28
 [<ffffffd02e6fce5c>] cpufreq_power2state+x180/x43c
 [<ffffffd02e6ead80>] power_actor_set_power+x114/x1d4
 [<ffffffd02e6fac24>] allocate_power+xaec/xde
 [<ffffffd02e6f9f80>] power_allocator_throttle+x3ec/x5a4
 [<ffffffd02e6ea888>] handle_thermal_trip+x160/x294
 [<ffffffd02e6edd08>] thermal_zone_device_check+xe4/x154
 [<ffffffd02d351cb4>] process_one_work+x5e4/xe28
 [<ffffffd02d352f44>] worker_thread+xa4c/xfac
 [<ffffffd02d360124>] kthread+x33c/x358
 [<ffffffd02d289940>] ret_from_fork+xc/x18

The exploit details and the fix for this issue can be found in the original reference links provided below:

1. Linux Kernel git commit
2. Linux Kernel Mailing List post
3. Red Hat Bugzilla

In conclusion, by returning the lowest frequency when a suitable OPP cannot be found in the Energy Model table, the slab out-of-bounds issue in the Linux kernel's thermal drivers and CPU frequency cooling code has been resolved. This fix ensures that a negative array index and an out-of-bound situation are avoided, resulting in a more secure and stable kernel.

Timeline

Published on: 02/27/2024 19:04:05 UTC
Last modified on: 04/10/2024 19:34:31 UTC