CVE CyberSecurity Database News

CVE-2024-27008: Fixing Out of Bounds Access in Linux Kernel's drm/nv04 Module

Poster -

In the Linux kernel, a security vulnerability (CVE-2024-27008) has been detected and resolved involving the drm/nv04 module. The issue arises when an out of bounds access occurs for the 'dac_users' array in the fabricate_dcb_output() function. This post provides an overview of the vulnerability, the code snippet to fix it, and links to original references and exploit details.

Vulnerability Details

In the Linux kernel's drm/nv04 module, the fabricate_dcb_output() function assigns a value to the Output Resource (dcb->or). When the value of 'dcb->or' is , the function may access the 'dac_users' array in an out of bounds manner. This occurs because 'ffs(dcb->or)' is used as the index within the array.

The 'or' argument of fabricate_dcb_output() must be interpreted as a number of bits to set, not value. Therefore, instead of hardcoding the values, macros from the 'enum nouveau_or' should be used in calls.

Code Snippet

The following code snippet demonstrates the use of 'enum nouveau_or' macros in the drm/nv04 module, which resolves the vulnerability of out of bounds access to the 'dac_users' array:

  static void
  fabricate_dcb_output(struct drm_device *dev, int type, u8 sr_index,
           enum nouveau_or or)
  {
      struct nouveau_drm *drm = nouveau_drm(dev);
      struct nvif_device *device = &drm->device;
      . . .
      switch (type) {
      case DCB_OUTPUT_ANALOG:
          dcb->or    = or;
          dcb->dac_nr = ffs(dcb->or) - NOUVEAU_DAC;
          break;
     ...
     }
  }

Original References

This vulnerability (CVE-2024-27008) was originally identified by the Linux Verification Center (linuxtesting.org) using the Static Verification of Annotated Code (SVACE) tool. The detailed information about the vulnerability can be found in the commit message from the Linux kernel repository:

1. CVE-2024-27008 Commit Message

Exploit Details

As of now, there have been no reports of this vulnerability being exploited in the wild. The Linux kernel has promptly addressed the issue, and users are encouraged to update their systems to include the necessary patches. This particular vulnerability is difficult to exploit, as it would require an attacker to achieve kernel-mode execution to control the value of 'dcb->or' and cause out of bounds access to the 'dac_users' array.

Conclusion

The CVE-2024-27008 vulnerability in the Linux kernel's drm/nv04 module has been resolved by utilizing macros from the 'enum nouveau_or' in calls instead of hardcoded values. By taking this precautionary measure, users can prevent out of bounds access to the 'dac_users' array, thus ensuring the security and stability of their systems. Always keep your software updated to the latest version, and follow best practices for system administration to minimize possible threats.

Timeline

Published on: 05/01/2024 06:15:19 UTC
Last modified on: 06/27/2024 13:15:57 UTC