CVE-2024-26599: Out-of-Bounds Access Fixed in of_pwm_single_xlate() in the Linux Kernel

Security vulnerabilities in the Linux kernel are a serious matter, as they can lead to a wide range of malicious activities such as unauthorized access, data leakage, or system crashes. In this post, we'll discuss the recent CVE-2024-26599 vulnerability, which involved an out-of-bounds access issue in the of_pwm_single_xlate() function. We'll cover the details of the vulnerability and its exploitation, as well as the code snippet and the references to the original sources.

Vulnerability Details

The CVE-2024-26599 vulnerability is related to the Linux kernel's pulse-width modulation (PWM) subsystem, which is used for controlling the power signals provided to various devices. The vulnerability was present in the of_pwm_single_xlate() function, and resulted from an incorrect handling of the args->args_count value. Specifically, when args->args_count was set to 2, the code would incorrectly access args->args[2] which was undefined, causing an out-of-bounds read and potentially leading to a crash or other unintended behavior.

Exploit Details

An attacker could potentially exploit this vulnerability by crafting a malicious device tree blob (DTB) that contained a PWM specifier with an args_count value of 2, and then loading it into the kernel's device tree parser. This would generate the out-of-bounds access in of_pwm_single_xlate(), which could in turn cause a crash or other undefined behavior. While the exact impact and severity of this exploit are yet to be determined, it is nonetheless important to address this issue to ensure the security and stability of the Linux kernel.

Code Snippet

The following code snippet shows the vulnerable portion of the of_pwm_single_xlate() function and the subsequent fix:

// Original vulnerable code
static int of_pwm_single_xlate(struct device *dev, struct of_phandle_args *args)
{
    /* ... */
    // Incorrect access to args->args[2] when args->args_count == 2
    if (args->args_count <= 2)
        flags = args->args[2];
    /* ... */
}

// Fixed code
static int of_pwm_single_xlate(struct device *dev, struct of_phandle_args *args)
{
    /* ... */
    // Correct access to args->args[1] when args->args_count == 2
    if (args->args_count >= 2)
        flags = args->args[1];
    /* ... */
}

As seen in the updated code, the correct index to access arguments array is args->args[1] rather than args->args[2], guarding against the out-of-bounds access issue.

Original References

For additional context and information, the following links provide references to the original sources reporting this vulnerability:

1. Linux kernel commit that fixed the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cdb31f8136d1683f92b2d1869c7df5f2d4cb2469
2. PWM subsystem documentation: https://www.kernel.org/doc/html/latest/driver-api/pwm.html

In conclusion, the CVE-2024-26599 vulnerability highlights the importance of thorough code analysis and testing in the Linux kernel. By understanding the implications of seemingly minor issues like an out-of-bounds access, we can continuously improve the security, stability, and performance of the systems that rely on this open-source platform.

Timeline

Published on: 02/23/2024 15:15:09 UTC
Last modified on: 04/17/2024 19:34:01 UTC