CVE-2024-38635: soundwire: cadence: fix invalid PDI offset
First published: Fri Jun 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: soundwire: cadence: fix invalid PDI offset For some reason, we add an offset to the PDI, presumably to skip the PDI0 and PDI1 which are reserved for BPT. This code is however completely wrong and leads to an out-of-bounds access. We were just lucky so far since we used only a couple of PDIs and remained within the PDI array bounds. A Fixes: tag is not provided since there are no known platforms where the out-of-bounds would be accessed, and the initial code had problems as well. A follow-up patch completely removes this useless offset.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <5.4.278 | 5.4.278 |
| redhat/kernel | <5.10.219 | 5.10.219 |
| redhat/kernel | <5.15.161 | 5.15.161 |
| redhat/kernel | <6.1.93 | 6.1.93 |
| redhat/kernel | <6.6.33 | 6.6.33 |
| redhat/kernel | <6.9.4 | 6.9.4 |
| redhat/kernel | <6.10 | 6.10 |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.16-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089
- https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567
- https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785
- https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021
- https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91
- https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078
- https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328
- https://launchpad.net/bugs/cve/CVE-2024-38635
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38635
- https://nvd.nist.gov/vuln/detail/CVE-2024-38635
- https://security-tracker.debian.org/tracker/CVE-2024-38635
- https://ubuntu.com/security/CVE-2024-38635
- https://git.kernel.org/linus/8ee1b439b1540ae543149b15a2a61b9dff937d91
- https://access.redhat.com/security/cve/CVE-2024-38635
- https://lore.kernel.org/linux-cve-announce/2024062143-CVE-2024-38635-a3b1@gregkh/T
- https://access.redhat.com/errata/RHSA-2024:9315
- https://bugzilla.redhat.com/show_bug.cgi?id=2293693
Frequently Asked Questions
What is the severity of CVE-2024-38635?
CVE-2024-38635 is classified with a severity level that may lead to potential exploitation in affected Linux kernel versions.
How do I fix CVE-2024-38635?
To resolve CVE-2024-38635, update the Linux kernel to the fixed versions such as 5.4.278, 5.10.219, 5.15.161, 6.1.93, 6.6.33, or later versions.
Which software is affected by CVE-2024-38635?
CVE-2024-38635 affects specific versions of the Linux kernel, including those listed under various Red Hat and Debian packages.
Is a restart required after patching CVE-2024-38635?
Yes, a system restart is typically required after updating the kernel to apply the changes and fix CVE-2024-38635.
What are the potential impacts of CVE-2024-38635 if left unpatched?
If left unpatched, CVE-2024-38635 may result in system instability or an exploitable condition impacting security and functionality.
- agent/title
- agent/type
- collector/nvd-api
- source/NVD
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/author
- agent/first-publish-date
- agent/references
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-38635
- agent/software-canonical-lookup
- collector/nvd-cve
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- package-manager/debian