CVE-2024-26970: Linux Kernel Vulnerability Resolved in clk: qcom: gcc-ipq6018 Frequency Table Arrays
In the Linux kernel, a critical vulnerability has been identified and resolved, which is now assigned the Common Vulnerabilities and Exposures (CVE) number CVE-2024-26970. The vulnerability revolves around the frequency table arrays found in the clk: qcom: gcc-ipq6018 system. This post aims to provide an easy-to-understand summary of the identified issue, the code snippet that fixes the problem, and links to the original references for further reading.
Vulnerability Details
The frequency table arrays were not properly terminated, causing potential out-of-bound access when traversed by functions such as qcom_find_freq() or qcom_find_freq_floor(). This out-of-bound access can lead to a variety of issues like crashes, incorrect behavior, or even, in some cases, security exploits that take advantage of these memory vulnerabilities. To address this issue, an empty element needs to be added to the end of the arrays, effectively terminating them and preventing out-of-bound access.
Code Snippet
The following code snippet adds the necessary empty element to the frequency table arrays, effectively fixing the problem:
static const struct parent_map gcc_ipq6018_parents[] = {
{ P_XO, }
};
static const struct freq_tbl ftbl_gcc_ipq6018_apcs_clk_src[] = {
{ 100000000, P_XO, 1, , },
{ }
};
Notice the '{ }' line at the end of the array, which properly terminates it, preventing out-of-bound access and fixing the issue.
Relevant Links
- You can find additional details on the vulnerability, along with the original patch, in the Linux kernel repository:
* Kernel.org Commit
* Linux Kernel Mailing List (LKML) Discussion
- For further information and understanding, you can also visit the following resources
* Common Vulnerabilities and Exposures (CVE) Entry
* Qualcomm.com - IPQ6018 Product Details
To provide an extra level of assurance, this change has been compile-tested, ensuring that the modification does not introduce any new, unintended issues. Keep in mind that it is vital to keep your Linux kernel up-to-date to ensure that previously identified vulnerabilities, like the one described in CVE-2024-26970, are addressed effectively, keeping your systems secure and stable.
Timeline
Published on: 05/01/2024 06:15:13 UTC
Last modified on: 07/03/2024 01:50:09 UTC