CVE-2024-57998

CVE-2024-57998 is a vulnerability in the Linux kernel's Operating Performance Points (OPP) subsystem. It manifests as a buffer overflow in the _read_freq() function due to a missing index check in an assert statement, which can result in reading frequencies out of the opp->rates[] table bounds. This issue arises specifically when _read_freq() is called from indexed variants such as dev_pm_opp_find_freq_exact_indexed() or dev_pm_opp_find_freq_ceil/floor_indexed(). The vulnerability is classified under CWE-125 (Out-of-bounds Read) and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability. Exploitation requires local access and low complexity with no user interaction, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability. Potential outcomes include unauthorized data access, modification, or kernel denial of service within the affected OPP context.

Mitigation is provided through patches in the Linux kernel stable repositories. Relevant commits include 774dd6f0f0a61c9c3848e025d7d9eeed1a7ca4cd, 7d68c20638e50d5eb4576492a7958328ae445248, d659bc68ed489022ea33342cfbda2911a81e7a0d, da2a6acc73933b7812c94794726e438cde39e037, and eb6ffa0192ba83ece1a318b956265519c5c7dcec. These updates add a frequency index parameter to the assert function and introduce assert_clk_index() to validate clock indices in the indexed find functions, preventing the out-of-bounds read.