CVE-2024-27006 - Linux Kernel Thermal Debugging Vulnerability Resolved

A recent vulnerability (CVE-2024-27006) within the Linux kernel has been resolved, concerning thermal debugging and the incrementing of trip point counts. This issue can lead to kernel crashes, and incorrect average temperature recordings in trip statistics. This post provides a detailed explanation of the vulnerability, along with relevant code snippets and original references.

Exploit Details

In the Linux kernel, the vulnerability is found within the thermal/debugfs system. Specifically, the code lacked appropriate count incrementation in the struct trip_stats for the following function: thermal_debug_tz_trip_up(). Due to this oversight, two problems arise:

1. If a trip point is crossed on the way up for the first time, the thermal_debug_update_temp() function cannot recognize it, as it hasn't been added to the trips_crossed[] array in the thermal zone's struct tz_debugfs object. Consequently, when the thermal_debug_tz_trip_up() function is called afterwards, the trip point's count value remains at . This causes a divide error during average temperature computation, resulting in a kernel crash. By incrementing the count to 1, this issue is resolved.

2. If a trip point is crossed on the way up, but has already been crossed before, its count value must be incremented to accurately record the zone temperature rising above the trip. Failing to do so leads to inaccurate average temperature recordings in trip statistics, as the count does not update correctly when the zone temperature drops below the threshold following applied mitigations.

Code Snippet

To mitigate these issues, the count field in struct trip_stats must be incremented within the thermal_debug_tz_trip_up() function. Here's the corrected code snippet:

static void thermal_debug_tz_trip_up(struct thermal_zone_device *tz, int trip)
{
    struct tz_debugfs *tzone = tz->debugfs;

    if (!tzone)
        return;

    tzone->trip_stats[trip].crossed_count++;
    ...
}

Original References

For further information, please refer to the original patch notes and commit message from the Linux kernel source:

- Linux Kernel Patch Notes
- Linux Kernel Commit Message

Conclusion

The Linux kernel's recent thermal debugging vulnerability (CVE-2024-27006) has been resolved by properly incrementing trip point counts in thermal_debug_tz_trip_up(). This fix prevents potential kernel crashes and ensures accurate average temperature recordings in trip statistics. Developers and users should ensure their systems are updated with the latest kernel patches to avoid potential issues.

Timeline

Published on: 05/01/2024 06:15:19 UTC
Last modified on: 05/29/2024 05:26:53 UTC