CVE-2024-26969: Linux Kernel Vulnerability in clk: qcom: gcc-ipq8074 Frequency Table Arrays Fixed

As a responsible Linux user or administrator, it is important to stay up-to-date with the latest news regarding security patches and vulnerabilities. In this post, we will explore a recently resolved Linux kernel vulnerability (CVE-2024-26969) related to the Qualcomm clock controller driver. It is crucial to understand and apply the fix for this vulnerability to maintain the security and proper functioning of your Linux-based systems.

The vulnerability is present in the frequency table arrays in the clk: qcom: gcc-ipq8074 part of the Linux kernel. According to the original commit message on the official Linux git repository, the frequency table arrays should have been terminated with an empty element. However, due to the absence of this element in some arrays, it could lead to potential out-of-bound access when the table is traversed by functions like qcom_find_freq() or qcom_find_freq_floor().

Here is a code snippet from the patch that illustrates the fix:

 static const struct freq_tbl ftbl_gcc_sys_noc_axi_clk_src[] = {
        F(       24000, P_XO,    1, , ),
        F(    60000000, P_PLL_OUT_EVEN, 8, , ),
        F(   120000000, P_PLL_OUT_EVEN, 4, , ),
        F(   240000000, P_PLL_OUT_EVEN, 2, , ),
        F(   480000000, P_PLL_OUT_EVEN, 1, , ),
+       { }
 };

As you can see, the addition of { } at the end of the array ensures proper termination, preventing any out-of-bound access-related issues. This fix has been applied to the relevant arrays in the clk: qcom: gcc-ipq8074 section of the Linux kernel.

It is essential to keep your Linux kernel up-to-date, as kernel updates often include important security fixes like this one. To update your kernel, you can use your Linux distribution's package management tool, or you can compile and install a new kernel from the source code.

Please note that this vulnerability has only been compile tested, which means the patch has been tested to ensure it compiles properly without any errors, but it has not been tested in a real-world environment. While this does not diminish the importance of the fix, it is recommended to thoroughly test the patch on your systems before deploying it in critical environments.

In conclusion, CVE-2024-26969 is a vulnerability in the frequency table arrays of the clk: qcom: gcc-ipq8074 section of the Linux kernel, which has now been resolved. To maintain the security and stability of your Linux-based systems, make sure to apply the appropriate kernel updates as they become available. Stay informed about Linux kernel vulnerabilities by following trusted sources and always test patches before deploying them in critical environments.

Timeline

Published on: 05/01/2024 06:15:13 UTC
Last modified on: 06/27/2024 13:15:57 UTC