---
Introduction
A recently resolved vulnerability, CVE-2024-26965, affected the Linux kernel’s Qualcomm MSM8974 clock controller (clk: qcom: mmcc-msm8974). This issue arose due to improperly terminated frequency table arrays, potentially leading to out-of-bounds (OOB) memory access. Here, we’ll break down the details, show code snippets, link you to references, and explain what happened in simple terms.
What’s the Problem?
In the Linux kernel’s source code for Qualcomm MSM8974's multimedia clock controller, there are arrays listing supported frequencies for various hardware clocks. These arrays are supposed to end with an "empty" entry (all zeros), which marks the end of the array for functions that walk the list (like qcom_find_freq()).
If this zeroed-out entry is missing, anything scanning the array can keep going off the end, reading garbage data—this is called out-of-bounds access and could cause the kernel to crash or, in some hypothetically rare cases, be exploited for code execution.
In drivers/clk/qcom/mmcc-msm8974.c, frequency tables missed a terminating empty element
static const struct freq_tbl ftbl_mdp_clk[] = {
{ 19200000, P_PLL8, 1, 1, 8 },
{ 38400000, P_PLL8, 1, 1, 4 },
// ... more entries ...
// <== OOPS! No terminating zeroed entry here.
};
Anyone using this table with functions like qcom_find_freq() risks walking off past valid memory and possibly reading into uninitialized or unrelated data.
The Fix
The solution is simple: add a terminating empty entry to these arrays.
Here’s how the patched code looks
static const struct freq_tbl ftbl_mdp_clk[] = {
{ 19200000, P_PLL8, 1, 1, 8 },
{ 38400000, P_PLL8, 1, 1, 4 },
// ... more entries ...
{ }
};
That { } is an all-zero structure, marking the end of the array. Now, functions will stop correctly.
Patch Commit:
clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays
CVE Details:
CVE-2024-26965 at NVD
- **Qualcomm MMCC MSM8974 Source (Linux)](https://elixir.bootlin.com/linux/latest/source/drivers/clk/qcom/mmcc-msm8974.c)
Who’s Affected?
Any system using the Linux kernel with the MSM8974 clock driver (common in some Qualcomm-based Android devices or reference boards) that is using frequency tables without the terminator.
How Could This Be Exploited?
- Denial of Service: The most likely outcome is a kernel panic or crash when the OOB read hits invalid memory.
- Information Disclosure: If attacker-controlled code can fiddle with memory after the array, it might leak data from the kernel’s memory (but this is unlikely due to it being an internal driver table).
- Code Execution: Extremely unlikely because arbitrary memory isn’t written, just read, but in theory, it’s possible if combined with other bugs.
Simple Proof-of-Concept
Here's pseudo-code showing how the bug could be triggered by a function traversing the frequency table:
// Simplified frequency search function
const struct freq_tbl *f;
for (f = ftbl_mdp_clk; f->freq; f++) {
// process frequency
}
// If no {,,,,} terminator, this loop runs forever or reads junk!
How Was It Discovered?
The issue was caught during code review and static analysis; it was "compile tested" only, meaning it wasn't triggered by a known exploit in the wild but was fixed proactively.
Mitigation
Update your kernel!
If you use the affected MSM8974 clock driver, ensure you are using a release with the patch described above, or manually add terminators to any custom frequency tables.
Conclusion
CVE-2024-26965 is a classic example of a simple bug with potentially severe consequences in kernel space. If you’re a device vendor using Qualcomm MSM8974 chipsets with Linux, make sure you pull the latest kernel or apply this fix.
Further Reading
- Understanding Linux Kernel OOB
- Linux Kernel Security Practices
Timeline
Published on: 05/01/2024 06:15:12 UTC
Last modified on: 05/04/2025 09:00:58 UTC