CVE-2024-53193 (GCVE-0-2024-53193)
Vulnerability from cvelistv5
Published
2024-12-27 13:49
Modified
2025-05-04 09:55
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider Some heap space is allocated for the flexible structure `struct clk_hw_onecell_data` and its flexible-array member `hws` through the composite structure `struct loongson2_clk_provider` in function `loongson2_clk_probe()`, as shown below: 289 struct loongson2_clk_provider *clp; ... 296 for (p = data; p->name; p++) 297 clks_num++; 298 299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), 300 GFP_KERNEL); Then some data is written into the flexible array: 350 clp->clk_data.hws[p->id] = hw; This corrupts `clk_lock`, which is the spinlock variable immediately following the `clk_data` member in `struct loongson2_clk_provider`: struct loongson2_clk_provider { void __iomem *base; struct device *dev; struct clk_hw_onecell_data clk_data; spinlock_t clk_lock; /* protect access to DIV registers */ }; The problem is that the flexible structure is currently placed in the middle of `struct loongson2_clk_provider` instead of at the end. Fix this by moving `struct clk_hw_onecell_data clk_data;` to the end of `struct loongson2_clk_provider`. Also, add a code comment to help prevent this from happening again in case new members are added to the structure in the future. This change also fixes the following -Wflex-array-member-not-at-end warning: drivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/145de18065b9840687d9b4e63746238c1da25d22Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6e4bf018bb040955da53dae9f8628ef8fcec2dbePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/76918202615f2ba7deda14901d9fff528a180099Patch
Impacted products
Vendor Product Version
Linux Linux Version: 9796ec0bd04bb0e70487127d44949ca0554df5d3
Version: 9796ec0bd04bb0e70487127d44949ca0554df5d3
Version: 9796ec0bd04bb0e70487127d44949ca0554df5d3
 Create a notification for this product.
   Linux Linux Version: 6.10
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/clk-loongson2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "76918202615f2ba7deda14901d9fff528a180099",
              "status": "affected",
              "version": "9796ec0bd04bb0e70487127d44949ca0554df5d3",
              "versionType": "git"
            },
            {
              "lessThan": "145de18065b9840687d9b4e63746238c1da25d22",
              "status": "affected",
              "version": "9796ec0bd04bb0e70487127d44949ca0554df5d3",
              "versionType": "git"
            },
            {
              "lessThan": "6e4bf018bb040955da53dae9f8628ef8fcec2dbe",
              "status": "affected",
              "version": "9796ec0bd04bb0e70487127d44949ca0554df5d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/clk-loongson2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider\n\nSome heap space is allocated for the flexible structure `struct\nclk_hw_onecell_data` and its flexible-array member `hws` through\nthe composite structure `struct loongson2_clk_provider` in function\n`loongson2_clk_probe()`, as shown below:\n\n289         struct loongson2_clk_provider *clp;\n\t...\n296         for (p = data; p-\u003ename; p++)\n297                 clks_num++;\n298\n299         clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num),\n300                            GFP_KERNEL);\n\nThen some data is written into the flexible array:\n\n350                 clp-\u003eclk_data.hws[p-\u003eid] = hw;\n\nThis corrupts `clk_lock`, which is the spinlock variable immediately\nfollowing the `clk_data` member in `struct loongson2_clk_provider`:\n\nstruct loongson2_clk_provider {\n\tvoid __iomem *base;\n\tstruct device *dev;\n\tstruct clk_hw_onecell_data clk_data;\n\tspinlock_t clk_lock;\t/* protect access to DIV registers */\n};\n\nThe problem is that the flexible structure is currently placed in the\nmiddle of `struct loongson2_clk_provider` instead of at the end.\n\nFix this by moving `struct clk_hw_onecell_data clk_data;` to the end of\n`struct loongson2_clk_provider`. Also, add a code comment to help\nprevent this from happening again in case new members are added to the\nstructure in the future.\n\nThis change also fixes the following -Wflex-array-member-not-at-end\nwarning:\n\ndrivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:55:25.904Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/76918202615f2ba7deda14901d9fff528a180099"
        },
        {
          "url": "https://git.kernel.org/stable/c/145de18065b9840687d9b4e63746238c1da25d22"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e4bf018bb040955da53dae9f8628ef8fcec2dbe"
        }
      ],
      "title": "clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53193",
    "datePublished": "2024-12-27T13:49:35.566Z",
    "dateReserved": "2024-11-19T17:17:25.014Z",
    "dateUpdated": "2025-05-04T09:55:25.904Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53193\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-27T14:15:26.897\",\"lastModified\":\"2025-09-19T16:56:53.847\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider\\n\\nSome heap space is allocated for the flexible structure `struct\\nclk_hw_onecell_data` and its flexible-array member `hws` through\\nthe composite structure `struct loongson2_clk_provider` in function\\n`loongson2_clk_probe()`, as shown below:\\n\\n289         struct loongson2_clk_provider *clp;\\n\\t...\\n296         for (p = data; p-\u003ename; p++)\\n297                 clks_num++;\\n298\\n299         clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num),\\n300                            GFP_KERNEL);\\n\\nThen some data is written into the flexible array:\\n\\n350                 clp-\u003eclk_data.hws[p-\u003eid] = hw;\\n\\nThis corrupts `clk_lock`, which is the spinlock variable immediately\\nfollowing the `clk_data` member in `struct loongson2_clk_provider`:\\n\\nstruct loongson2_clk_provider {\\n\\tvoid __iomem *base;\\n\\tstruct device *dev;\\n\\tstruct clk_hw_onecell_data clk_data;\\n\\tspinlock_t clk_lock;\\t/* protect access to DIV registers */\\n};\\n\\nThe problem is that the flexible structure is currently placed in the\\nmiddle of `struct loongson2_clk_provider` instead of at the end.\\n\\nFix this by moving `struct clk_hw_onecell_data clk_data;` to the end of\\n`struct loongson2_clk_provider`. Also, add a code comment to help\\nprevent this from happening again in case new members are added to the\\nstructure in the future.\\n\\nThis change also fixes the following -Wflex-array-member-not-at-end\\nwarning:\\n\\ndrivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clk: clk-loongson2: Se corrige un error de corrupci\u00f3n de memoria en struct loongson2_clk_provider. Se asigna algo de espacio de mont\u00f3n para la estructura flexible `struct clk_hw_onecell_data` y su miembro de matriz flexible `hws` a trav\u00e9s de la estructura compuesta `struct loongson2_clk_provider` en la funci\u00f3n `loongson2_clk_probe()`, como se muestra a continuaci\u00f3n: 289 struct loongson2_clk_provider *clp; ... 296 for (p = data; p-\u0026gt;name; p++) 297 clks_num++; 298 299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), 300 GFP_KERNEL); Luego, se escriben algunos datos en la matriz flexible: 350 clp-\u0026gt;clk_data.hws[p-\u0026gt;id] = hw; Esto corrompe `clk_lock`, que es la variable spinlock que sigue inmediatamente al miembro `clk_data` en `struct loongson2_clk_provider`: struct loongson2_clk_provider { void __iomem *base; struct device *dev; struct clk_hw_onecell_data clk_data; spinlock_t clk_lock; /* proteger el acceso a los registros DIV */ }; El problema es que la estructura flexible actualmente est\u00e1 ubicada en el medio de `struct loongson2_clk_provider` en lugar de al final. Solucione esto moviendo `struct clk_hw_onecell_data clk_data;` al final de `struct loongson2_clk_provider`. Adem\u00e1s, agregue un comentario de c\u00f3digo para ayudar a evitar que esto vuelva a suceder en caso de que se agreguen nuevos miembros a la estructura en el futuro. Este cambio tambi\u00e9n corrige la siguiente advertencia -Wflex-array-member-not-at-end: drivers/clk/clk-loongson2.c:32:36: advertencia: la estructura que contiene un miembro de matriz flexible no est\u00e1 al final de otra estructura [-Wflex-array-member-not-at-end]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.11.11\",\"matchCriteriaId\":\"158A6B22-9260-41D7-965A-A81798A5A969\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12\",\"versionEndExcluding\":\"6.12.2\",\"matchCriteriaId\":\"D8882B1B-2ABC-4838-AC1D-DBDBB5764776\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/145de18065b9840687d9b4e63746238c1da25d22\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6e4bf018bb040955da53dae9f8628ef8fcec2dbe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/76918202615f2ba7deda14901d9fff528a180099\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.