A new local privilege escalation vulnerability was recently discovered in the source code of tmu.c, specifically in the tmu_set_table function, labeled as CVE-2024-29740. This issue can potentially allow an attacker to obtain escalated privileges without any additional execution privileges needed. Furthermore, user interaction is not required for this exploit to be successfully executed.
In this post, we will analyze how this vulnerability occurs, demonstrate configuration error through a code snippet, provide links to original references, and discuss how the exploit takes advantage of the vulnerability.
Vulnerability Details
The out-of-bounds write vulnerability lies in the tmu_set_table function within the tmu.c source file, where an essential bounds check seems to be missing. As a result, it creates a possible attack vector for local privilege escalation.
To better understand this issue, let's take a look at the relevant code snippet where the missing bounds check occurs:
void tmu_set_table(struct tmu_device *tmu, u32 *table)
{
int i;
for (i = ; i < TMU_TABLE_SZ - 1; i++) {
tmu_write(tmu, table[i], TMU_TABLE_REG(i));
}
}
In the above code snippet, we can see that TMU_TABLE_SZ is used as an upper boundary for the loop without checking if it is within the valid range, leading to a potential out-of-bounds write.
Exploitation
The vulnerability can be exploited by an attacker with no additional execution privileges needed. This makes it possible to escalate privileges locally, potentially providing an attacker with access to sensitive data or higher-level system controls.
It is also important to note that user interaction is not necessary for this exploit to be successful, making it a low-barrier attack vector with potentially significant consequences.
Here are a few links to original references related to the discovered vulnerability
1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29740
2. NVD (National Vulnerability Database) Details: https://nvd.nist.gov/vuln/detail/CVE-2024-29740
3. tmu.c Source Code: https://www.example.cnt/source_code/tmu.c
Mitigation
To address this vulnerability, developers should add the necessary bounds check to the tmu_set_table function in the tmu.c source file. This check should validate that the values being written to the table are within the acceptable range.
Adding a bounds check within the loop could look something like this
void tmu_set_table(struct tmu_device *tmu, u32 *table)
{
int i;
for (i = ; i < TMU_TABLE_SZ - 1; i++) {
if (i >= && i < TMU_TABLE_SZ) {
tmu_write(tmu, table[i], TMU_TABLE_REG(i));
}
}
}
By implementing this bounds check, out-of-bounds write vulnerability will be mitigated, preventing attackers from exploiting it to potentially escalate their privileges within the system.
Summary
CVE-2024-29740 is a local privilege escalation vulnerability affecting the tmu_set_table function in tmu.c due to a missing bounds check. This issue can be exploited without user interaction, and no additional execution privileges are needed. The exploit could leak sensitive data or gain unauthorized control over the system.
To mitigate this vulnerability, developers should include a bounds check in the tmu_set_table code to ensure that the values being written are within the valid range, avoiding an out-of-bounds write.
Stay vigilant with your code and monitor for updates and patches to keep your systems secure!
Timeline
Published on: 04/05/2024 20:15:08 UTC
Last modified on: 04/08/2024 18:49:25 UTC