CVE-2024-53158 - Resolving Linux Kernel Vulnerability in the soc: qcom: geni-se Module

A vulnerability, identified as CVE-2024-53158, has been discovered and resolved in the Linux kernel. The issue is related to an array underflow in the _soc: qcom: geni-se_ module, specifically in the _geni_se_clk_tbl_get()_ function. In this post, we will delve into the vulnerability, its ramifications, and how it has been fixed. A code snippet, as well as links to the original references, will also be included to provide more context and understanding.

Vulnerability Explanation and Exploit Details

The vulnerability exists in the _geni_se_clk_tbl_get()_ function, which is responsible for looking up and retrieving clock rates in different frequency tables. This function is used by the _soc: qcom: geni-se_ module for several purposes, including setting up serial engine clocks and maintaining performance level settings.

The issue arises from a loop that is designed to break if the frequency returned from _clk_round_rate()_ is the same as the previous iteration. However, this check does not make sense on the first iteration through the loop, causing the function to read before the start of the _clk_perf_tbl[]_ array. This array underflow can lead to unexpected behavior, including crashes and potential security risks.

To exploit this vulnerability, an attacker could potentially craft input to trigger the array underflow and cause a denial of service (DoS) or even execute arbitrary code.

Here is the original code snippet that demonstrates the vulnerability

int i;

for (i = 1; i < MAX_CLK_PERF_LEVEL; ) {
    ret = geni_se_ioread(se, se_proto, i, &these);
    if (ret)
        break;

    freq = clk_round_rate(se->m_clk, freq + 1);
    if (freq == these->clk_perf_tbl[i - 1].freq)
        break;

    these->clk_perf_tbl[i].clk_speed_hz = se->m_clk;
    these->clk_perf_tbl[i].freq = freq;
    i++;
}

A fix for this issue has been implemented, which involves moving the frequency check to ensure that the first iteration does not read before the start of the _clk_perf_tbl[]_ array. The corrected code snippet is as follows:

int i;

for (i = 1; i < MAX_CLK_PERF_LEVEL; ) {
    ret = geni_se_ioread(se, se_proto, i, &these);
    if (ret)
        break;

    freq = clk_round_rate(se->m_clk, freq + 1);

    if (i > 1 && freq == these->clk_perf_tbl[i - 1].freq)
        break;

    these->clk_perf_tbl[i].clk_speed_hz = se->m_clk;
    these->clk_perf_tbl[i].freq = freq;
    i++;
}

By using this fix, the vulnerability is resolved, preventing the possibility of an array underflow and guarding the Linux kernel against potential exploits.

For additional information and context, you can refer to the following original references

- Linux kernel Git commit introducing the fix
- Report of the vulnerability
- Official CVE-2024-53158 entry

Conclusion

In conclusion, a dangerous vulnerability (CVE-2024-53158) in the Linux kernel has been identified and resolved. By implementing the provided fix in the _soc: qcom: geni-se_ module, the risk of array underflow and potential exploits is mitigated, resulting in a more secure Linux kernel system.

Timeline

Published on: 12/24/2024 12:15:24 UTC
Last modified on: 01/20/2025 06:20:02 UTC