CVE-2024-57907

CVE-2024-57907 is an information disclosure vulnerability in the Linux kernel's Industrial I/O (IIO) subsystem, specifically the rockchip_saradc Analog-to-Digital Converter (ADC) driver. The issue arises in the handling of triggered buffers, where a local 'data' structure is used to push ADC readings to userspace. This structure is not fully initialized, as the code only assigns values to active channels via iio_for_each_active_channel(), leaving values for inactive channels uninitialized. As a result, uninitialized kernel memory can be exposed to userspace, classified under CWE-908 (Use of Uninitialized Resource). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges, such as a standard user on the system, can exploit this flaw with low complexity and no user interaction required. By triggering the ADC buffer read operation, the attacker can obtain sensitive data from uninitialized portions of kernel memory through the inactive channels in the userspace buffer. This leads to high confidentiality impact by leaking potentially sensitive kernel information, alongside a high availability impact that could result from related memory handling issues.

Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes available at git.kernel.org. These patches initialize the 'data' structure to zero before use, preventing the leak of uninitialized memory. Security practitioners should update affected Linux kernels, particularly those using the rockchip_saradc driver on Rockchip-based systems, and monitor for backported fixes in downstream distributions.