CVE-2024-53193: Linux Kernel Linux-Loongson Memory Corruption Bug Fixed

Introduction: The Linux kernel is a critical component in many computer systems and is widely used by various Operating Systems (OS). The recent discovery of a memory corruption bug in the Linux kernel has led to quick action by its developers. In this long-read post, we will discuss the vulnerability, provide code snippets, links to original references, and discuss the steps taken to mitigate the issue's impact.

The Vulnerability: CVE-2024-53193

A vulnerability in the Linux kernel has been discovered and fixed in the clk: clk-loongson2 module. This bug was causing memory corruption in the struct loongson2_clk_provider. The flexible structure in question is struct clk_hw_onecell_data, where some heap space is allocated for its flexible-array member hws through the composite structure mentioned above.

The bug arose due to the improper placement of the flexible structure within struct loongson2_clk_provider. This led to corruption of the clk_lock spinlock variable, which is located immediately following the clk_data member in the structure.

The allocation of struct loongson2_clk_provider is shown below

289         struct loongson2_clk_provider *clp;
...
296         for (p = data; p->name; p++)
297                 clks_num++;
298
299         clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num),
300                            GFP_KERNEL);

Then data is written into the flexible array, causing memory corruption

350                 clp->clk_data.hws[p->id] = hw;

The struct loongson2_clk_provider looks like this

struct loongson2_clk_provider {
	void __iomem *base;
	struct device *dev;
	struct clk_hw_onecell_data clk_data;
	spinlock_t clk_lock;	/* protect access to DIV registers */
};

The Fix

Developers fixed the bug by moving the struct clk_hw_onecell_data clk_data; to the end of struct loongson2_clk_provider. This prevents the spinlock variable, clk_lock, from being corrupted. Additionally, a code comment was added to help avoid similar issues in the future.

Here is the updated struct loongson2_clk_provider

struct loongson2_clk_provider {
	void __iomem *base;
	struct device *dev;
	spinlock_t clk_lock;	/* protect access to DIV registers */
	struct clk_hw_onecell_data clk_data; /* should be placed at the end of the structure */
};

Original References

The original details of the vulnerability and the fix can be found in the Linux kernel commit history, specifically this commit.

Exploit Details

The memory corruption bug could potentially lead to crashes and other unintended behavior in systems running the affected Linux kernel version. Incorrect handling of memory and data within the struct loongson2_clk_provider could expose systems to further vulnerabilities.

By applying the fix discussed earlier, the Linux kernel developers have successfully mitigated the impact of the vulnerability on systems running the Linux kernel. It is recommended to update the Linux kernel to the latest version to ensure the security and stability of the system.

Conclusion

In summary, CVE-2024-53193 has been addressed by the Linux kernel developers. The memory corruption bug in the clk: clk-loongson2 module has been fixed, thus mitigating potential crashes and other negative impacts on affected systems. As a best practice, users should always keep their system updated with the latest security patches and kernel updates to ensure they are protected from known vulnerabilities.

Timeline

Published on: 12/27/2024 14:15:26 UTC
Last modified on: 01/20/2025 06:20:58 UTC