Published: June 2024
Severity: Medium
Component: Linux Kernel (Qualcomm Common Clock Driver - gcc-ipq9574)
Affected Versions: Kernel versions using clk: qcom: gcc-ipq9574 driver prior to patch
Fixed In: Linux kernel patch
Overview
A new vulnerability labeled CVE-2024-26968 was recently fixed in the Linux kernel, specifically within the Qualcomm Common Clock Controller (QCOM GCC) driver for the IPQ9574 SoC (gcc-ipq9574). This flaw is linked to the way frequency table arrays are terminated when defining frequency sets for clocks.
Missing a terminator in the array could result in out-of-bounds memory access during traversal, potentially leading to a crash or unexpected behavior. While the bug is technical, its consequences could affect any Linux device using this Qualcomm chipset, such as routers or embedded systems.
What’s the Issue?
The frequency table is an array that lists all allowed clock frequencies for a device, ending with a special empty marker to show where the list stops. Without this marker, code that loops through the table (such as qcom_find_freq() or qcom_find_freq_floor()) might read beyond the end of the array, causing security and stability concerns.
Think of it as writing a list and forgetting to put a “the end” sign at the bottom — someone might just keep reading garbage past your actual list.
The Vulnerable Code
### Old/Incorrect Example
Here’s how the vulnerable frequency table looked (simplified)
static struct freq_tbl ftbl_gcc_qupv3_wrap1_s_clk_src[] = {
F(25000000, P_BI_TCXO, 1, , ),
F(50000000, P_GPLL_OUT_MAIN, 12, 1, 2),
// No terminating empty element
};
Functions such as qcom_find_freq() expect a table-ending marker like this
{ }
Without it, the function keeps reading, possibly accessing memory it should not touch. This is called a buffer overflow bug.
The patch simply adds an empty entry at the end of such arrays. Here's the fixed version
static struct freq_tbl ftbl_gcc_qupv3_wrap1_s_clk_src[] = {
F(25000000, P_BI_TCXO, 1, , ),
F(50000000, P_GPLL_OUT_MAIN, 12, 1, 2),
{} // <- Safe terminator added
};
With this, any code traversing the array stops safely.
Patch reference:
- clk: qcom: gcc-ipq9574: fix terminating of frequency table arrays (kernel.org)
How Can This Be Exploited?
In practice, this is not a remote code execution bug, but out-of-bounds memory access can potentially be abused:
- Local code execution: A malicious process with the right permissions might trigger this code path to cause memory corruption or crash the device.
- Device instability: Unintentional kernel panics or data corruption, especially in network gear using this driver.
The kernel team only “compile tested” the patch, so practical exploitation is theoretically possible, but would be complex and minor compared to other kernel bugs.
Exploit Scenario: Example
Say you have a custom driver that regularly refreshes available frequencies for power scaling. If your code calls qcom_find_freq() on the table above, here’s what happens:
Vulnerable traversal loop (simplified)
for (i = ; freq_tbl[i].freq; i++) {
// Do something
}
- If there’s no empty member at the end and garbage values exist in memory, the loop could keep going, leading to unpredictable results.
With the fix
The loop stops when it finds {} as the terminator, before accessing memory it should not.
Immediate Action: Upgrade to a Linux kernel version that includes the patch.
- Embedded Developers: Double check your own frequency tables if you’re maintaining hardware drivers.
- Users: If your device runs custom firmware (OpenWRT, etc.) on IPQ9574 chipsets, ensure patches have been applied.
Kernel Patch:
clk: qcom: gcc-ipq9574: fix terminating of frequency table arrays (kernel.org)
Linux Security CVE:
CVE-2024-26968 (MITRE) *(link may go live after CVE is processed)*
Conclusion
CVE-2024-26968 is a reminder that even simple mistakes like forgetting to end an array can cause security problems, especially in kernel and low-level software. The fix is simple, but staying vigilant is important — update early and check your own code for similar bugs!
Timeline
Published on: 05/01/2024 06:15:13 UTC
Last modified on: 12/23/2024 13:54:14 UTC