CVE-2024-53158 - Critical Array Underflow in Linux Kernel's Qualcomm GENI SE Driver – Explained With Code and Exploit Details

On June 2024, security researchers discovered a severe kernel-level bug affecting Linux systems using certain Qualcomm SOC hardware. Tracked as CVE-2024-53158, the vulnerability allowed a potential array underflow issue in the Qualcomm GENI Serial Engine (geni-se) driver. This bug could be abused for *kernel address leakage* or *potential privilege escalation*, depending on context.

Below, I’ll walk you through the technical details, demonstrate the problematic code, share how attackers could possibly exploit it, and list available patches and references.

What’s Vulnerable?

Affected code sits in the drivers/soc/qcom/geni-se.c file, responsible for serial communication on Qualcomm chips via the GENI interfaces.

Specifically, the function

static void geni_se_clk_tbl_get(struct geni_se *se, u32 *clk_tbl)

is intended to fill out an array of recommended clock rates for serial interfaces. However, due to a logic flaw, the code can access memory *before* the start of the driver’s clk_perf_tbl[] array, leading to undefined behavior.

Let’s look at the buggy logic that caused this underflow

for (i = ; i < len; i++) {
    freq = clk_round_rate(se->clk, these->clk_perf_tbl[i].perf);
    if (freq == these->clk_perf_tbl[i-1].freq)
        break;
    these->clk_perf_tbl[i].freq = freq;
}

Problem:
On the *first iteration* (i = ), these->clk_perf_tbl[i-1] tries to read clk_perf_tbl[-1]. That's an *array underflow* in C, which may result in:

Infoleak:

*A local user or malicious process could trigger the function, reading kernel memory before the intended buffer.*
If this area previously held sensitive data (like heap addresses or PID information), an attacker could then use it to bypass kernel ASLR or other mitigations.

Privilege Escalation Potential:

While direct code execution is hard, chaining this with other vulnerabilities or using heap spraying techniques, attackers might be able to escalate privileges in highly customized attacks.

Here’s the patch that Linux maintainers landed ([link below](#original-references))

 for (i = ; i < len; i++) {
-    freq = clk_round_rate(se->clk, these->clk_perf_tbl[i].perf);
-    if (freq == these->clk_perf_tbl[i-1].freq)
-        break;
-    these->clk_perf_tbl[i].freq = freq;
+    freq = clk_round_rate(se->clk, these->clk_perf_tbl[i].perf);
+    if (i >  && freq == these->clk_perf_tbl[i-1].freq)
+        break;
+    these->clk_perf_tbl[i].freq = freq;
 }

Notice the change

> if (i > && freq == these->clk_perf_tbl[i-1].freq)
Now, the check is *skipped* on the first loop iteration, eliminating underflow.


## Proof Of Concept / Exploit Scenario

While there is *no public exploit* for this bug as of June 2024, one way to demonstrate the impact is by logging the value read before the buffer during the first loop. It might dump previous kernel heap or stack data.

Sample trigger code

// NOT a full exploit, but an illustration for developers
int dummy_clk_perf_tbl[8];
struct geni_se fake_se = {
    .clk = ..., // create or fake
    .clk_perf_tbl = (struct clk_perf_tbl *)dummy_clk_perf_tbl
};
u32 clk_tbl[8];

geni_se_clk_tbl_get(&fake_se, clk_tbl);
// Examine clk_perf_tbl[-1] to see underflow effect

A malicious kernel module or root-access user could potentially leak memory using this technique, especially on customized and outdated kernel builds.

Who Is Impacted?

- Most desktop/server Linux users are not affected unless running on impacted Qualcomm SoCs and using the GENI SE driver.
- Embedded devices (smartphones, IoT, automotive) with unpatched kernels and Qualcomm hardware are at higher risk, especially with local user access or custom/untrusted apps.

Or, backport the referenced patch.

You can check for the fix by verifying if the i > condition exists in your geni_se_clk_tbl_get() function.

Original References

- Upstream commit on kernel.org
- CVE-2024-53158 at cve.org
- LKML Patch Discussion
- Qualcomm GENI SE Linux Driver Docs

Summary

CVE-2024-53158 was a serious but obscure kernel bug, with possible security consequences on Qualcomm-equipped Linux devices. The takeaway for maintainers: always check array boundaries, especially when referencing elements using loop indices!

If you use Qualcomm-based Linux platforms, patch NOW!

*This advisory is written exclusively for educational and research use. If you’re a system administrator or kernel developer, update your devices ASAP! Share this info with your team to avoid similar bugs in future code reviews.*

Timeline

Published on: 12/24/2024 12:15:24 UTC
Last modified on: 05/04/2025 09:54:31 UTC