CVE-2024-46743 in Linux
Summary
by MITRE • 09/18/2024
In the Linux kernel, the following vulnerability has been resolved:
of/irq: Prevent device address out-of-bounds read in interrupt map walk
When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg="func of_irq_parse_* +p"):
OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764
CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ...
The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680)
The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it !
Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/05/2026
The vulnerability described in CVE-2024-46743 resides within the Linux kernel's device tree interrupt handling mechanism, specifically in the of_irq_parse_raw() function. This flaw manifests when processing device tree nodes that contain interrupt mappings, particularly when a device address is smaller than the interrupt parent node's #address-cells property value. The issue represents a classic out-of-bounds memory read condition that can lead to kernel memory corruption and potential privilege escalation or system instability. The vulnerability is categorized under CWE-129 as an "Improper Validation of Array Index" and aligns with ATT&CK technique T1068 which covers "Local Privilege Escalation" through kernel exploits. The problematic scenario occurs during the device tree overlay application process when the kernel attempts to parse interrupt specifications for device nodes, particularly in complex SoC configurations where address space layouts may not align properly with expected cell sizes.
The technical execution of this vulnerability involves a direct memory access violation during the device tree parsing phase of kernel initialization. When of_irq_parse_raw() processes interrupt specifications, it attempts to read device address information from a buffer that is insufficiently sized to accommodate the actual address data. The kernel's KASAN (Kernel Address Sanitizer) detection reveals that the read operation occurs at address 0xffffff81beca5608, which falls 8 bytes into a 128-byte memory region, indicating a precise buffer overflow condition. The system call trace demonstrates the vulnerability's path through the device tree parsing chain, starting from of_irq_parse_one() and ultimately failing in of_irq_parse_raw(), which is part of the broader firmware device link parsing mechanism. The physical page information confirms that this memory corruption occurs within a kmalloc-128 slab allocator, indicating the specific memory management context where the buffer overflow takes place.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable malicious code execution within kernel space, given that the condition occurs during device initialization and firmware linking processes. Attackers could exploit this vulnerability by crafting malicious device tree overlays that trigger the specific address size mismatch scenario, potentially leading to privilege escalation, denial of service, or information disclosure. The vulnerability affects systems utilizing device tree overlays and complex interrupt mapping scenarios, particularly those involving PCIe-based GPIO controllers and SoC architectures where address cell configurations may not align properly. Systems running kernel versions that include the fix are protected, but older systems without the patch remain vulnerable to exploitation, especially in embedded environments where device tree overlays are commonly used for hardware configuration.
Mitigation strategies for CVE-2024-46743 focus on ensuring proper kernel version updates that include the specific fix implemented by the Linux kernel team. The patch addresses the issue by allocating a buffer of sufficient size to accommodate the device address data before copying it, thereby preventing the out-of-bounds read condition. Organizations should prioritize kernel updates across all affected systems, particularly those operating in environments where device tree overlays are used for hardware configuration. Additional mitigations include implementing proper device tree validation procedures during system deployment, monitoring for suspicious device tree overlay loading operations, and maintaining up-to-date security patches for embedded systems. The fix aligns with security best practices outlined in the Linux kernel security documentation and represents a standard defensive programming approach to prevent buffer overflow conditions in kernel space operations.