CVE-2024-53193
Description
In the Linux kernel, the following vulnerability has been resolved:
clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider
Some heap space is allocated for the flexible structure struct clk_hw_onecell_data and its flexible-array member hws through the composite structure struct loongson2_clk_provider in function loongson2_clk_probe(), as shown below:
289 struct loongson2_clk_provider *clp; ... 296 for (p = data; p->name; p++) 297 clks_num++; 298 299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), 300 GFP_KERNEL);
Then some data is written into the flexible array:
350 clp->clk_data.hws[p->id] = hw;
This corrupts clk_lock, which is the spinlock variable immediately following the clk_data member in struct loongson2_clk_provider:
struct loongson2_clk_provider { void __iomem *base; struct device *dev; struct clk_hw_onecell_data clk_data; spinlock_t clk_lock; /* protect access to DIV registers */ };
The problem is that the flexible structure is currently placed in the middle of struct loongson2_clk_provider instead of at the end.
Fix this by moving struct clk_hw_onecell_data clk_data; to the end of struct loongson2_clk_provider. Also, add a code comment to help prevent this from happening again in case new members are added to the structure in the future.
This change also fixes the following -Wflex-array-member-not-at-end warning:
drivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
Affected products
10- osv-coords8 versionspkg:deb/ubuntu/linux@6.11.0-18.18?arch=source&distro=oracularpkg:deb/ubuntu/linux-aws@6.11.0-1009.10?arch=source&distro=oracularpkg:deb/ubuntu/linux-azure@6.11.0-1009.9?arch=source&distro=oracularpkg:deb/ubuntu/linux-gcp@6.11.0-1009.9?arch=source&distro=oracularpkg:deb/ubuntu/linux-lowlatency@6.11.0-1010.11?arch=source&distro=oracularpkg:deb/ubuntu/linux-oracle@6.11.0-1011.12?arch=source&distro=oracularpkg:deb/ubuntu/linux-raspi@6.11.0-1008.8?arch=source&distro=oracularpkg:deb/ubuntu/linux-realtime@6.11.0-1005.5?arch=source&distro=oracular
< 6.11.0-18.18+ 7 more
- (no CPE)range: < 6.11.0-18.18
- (no CPE)range: < 6.11.0-1009.10
- (no CPE)range: < 6.11.0-1009.9
- (no CPE)range: < 6.11.0-1009.9
- (no CPE)range: < 6.11.0-1010.11
- (no CPE)range: < 6.11.0-1011.12
- (no CPE)range: < 6.11.0-1008.8
- (no CPE)range: < 6.11.0-1005.5
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.