CVE-2024-58007
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: socinfo: Avoid out of bounds read of serial number On MSM8916 devices, the serial number exposed in sysfs is constant and does not change across individual devices. It's always: db410c:/sys/devices/soc0$ cat serial_number 2644893864 The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not have support for the serial_num field in the socinfo struct. There is an existing check to avoid exposing the serial number in that case, but it's not correct: When checking the item_size returned by SMEM, we need to make sure the *end* of the serial_num is within bounds, instead of comparing with the *start* offset. The serial_number currently exposed on MSM8916 devices is just an out of bounds read of whatever comes after the socinfo struct in SMEM. Fix this by changing offsetof() to offsetofend(), so that the size of the field is also taken into account.
Security Summary
CVE-2024-58007 is an out-of-bounds read vulnerability in the Linux kernel's Qualcomm socinfo driver, specifically affecting MSM8916 devices. The issue arises when reading the serial number exposed via sysfs, as the firmware on these devices reports SOCINFO_VERSION(0,8), which lacks support for the serial_num field in the socinfo struct stored in SMEM. An existing bounds check incorrectly uses the start offset of the serial_num field rather than its end, resulting in an out-of-bounds read of memory following the socinfo struct. This has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) and is classified under CWE-125 (Out-of-bounds Read).
A local attacker with low privileges can exploit this vulnerability by accessing the serial_number sysfs entry under /sys/devices/soc0. Successful exploitation allows reading arbitrary data beyond the socinfo struct in SMEM, potentially disclosing sensitive information (high confidentiality impact), and may trigger a kernel crash due to the invalid memory access (high availability impact). No user interaction is required, and the attack has low complexity.
The provided references point to stable kernel patch commits that resolve the issue by replacing offsetof() with offsetofend() in the bounds check, ensuring the entire serial_num field fits within the reported item_size from SMEM. Security practitioners should apply these upstream fixes to affected Linux kernel versions supporting MSM8916 devices to mitigate the vulnerability.
Details
- CWE(s)