CVE-2024-53193

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider<br /> <br /> Some heap space is allocated for the flexible structure `struct<br /> clk_hw_onecell_data` and its flexible-array member `hws` through<br /> the composite structure `struct loongson2_clk_provider` in function<br /> `loongson2_clk_probe()`, as shown below:<br /> <br /> 289 struct loongson2_clk_provider *clp;<br /> ...<br /> 296 for (p = data; p-&gt;name; p++)<br /> 297 clks_num++;<br /> 298<br /> 299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num),<br /> 300 GFP_KERNEL);<br /> <br /> Then some data is written into the flexible array:<br /> <br /> 350 clp-&gt;clk_data.hws[p-&gt;id] = hw;<br /> <br /> This corrupts `clk_lock`, which is the spinlock variable immediately<br /> following the `clk_data` member in `struct loongson2_clk_provider`:<br /> <br /> struct loongson2_clk_provider {<br /> void __iomem *base;<br /> struct device *dev;<br /> struct clk_hw_onecell_data clk_data;<br /> spinlock_t clk_lock; /* protect access to DIV registers */<br /> };<br /> <br /> The problem is that the flexible structure is currently placed in the<br /> middle of `struct loongson2_clk_provider` instead of at the end.<br /> <br /> Fix this by moving `struct clk_hw_onecell_data clk_data;` to the end of<br /> `struct loongson2_clk_provider`. Also, add a code comment to help<br /> prevent this from happening again in case new members are added to the<br /> structure in the future.<br /> <br /> This change also fixes the following -Wflex-array-member-not-at-end<br /> warning:<br /> <br /> drivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]