CVE-2024-58007

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: socinfo: Avoid out of bounds read of serial number<br /> <br /> On MSM8916 devices, the serial number exposed in sysfs is constant and does<br /> not change across individual devices. It&amp;#39;s always:<br /> <br /> db410c:/sys/devices/soc0$ cat serial_number<br /> 2644893864<br /> <br /> The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not<br /> have support for the serial_num field in the socinfo struct. There is an<br /> existing check to avoid exposing the serial number in that case, but it&amp;#39;s<br /> not correct: When checking the item_size returned by SMEM, we need to make<br /> sure the *end* of the serial_num is within bounds, instead of comparing<br /> with the *start* offset. The serial_number currently exposed on MSM8916<br /> devices is just an out of bounds read of whatever comes after the socinfo<br /> struct in SMEM.<br /> <br /> Fix this by changing offsetof() to offsetofend(), so that the size of the<br /> field is also taken into account.