CVE-2024-43825

Summary

In the Linux kernel, the following vulnerability has been resolved:

iio: Fix the sorting functionality in iio_gts_build_avail_time_table

The sorting in iio_gts_build_avail_time_table is not working as intended. It could result in an out-of-bounds access when the time is zero.

Here are more details:

  1. When the gts->itime_table[i].time_us is zero, e.g., the time sequence is 3, 0, 1, the inner for-loop will not terminate and do out-of-bound writes. This is because once times[j] > new, the value new will be added in the current position and the times[j] will be moved to j+1 position, which makes the if-condition always hold. Meanwhile, idx will be added one, making the loop keep running without termination and out-of-bound write.
  2. If none of the gts->itime_table[i].time_us is zero, the elements will just be copied without being sorted as described in the comment "Sort times from all tables to one and remove duplicates".

For more details, please refer to https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux38416c28e16890b52fdd5eb73479299ec3f062f3 < 31ff8464ef540785344994986a010031410f9ff3affected
LinuxLinux38416c28e16890b52fdd5eb73479299ec3f062f3 < b5046de32fd1532c3f67065197fc1da82f0b5193affected
LinuxLinux38416c28e16890b52fdd5eb73479299ec3f062f3 < 5acc3f971a01be48d5ff4252d8f9cdb87998cdfbaffected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux6.6.44 <= 6.6.*unaffected
LinuxLinux6.10.3 <= 6.10.*unaffected
LinuxLinux6.11 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References