CVE-2024-46774 in Linuxinfo

Summary

by MITRE • 09/18/2024

In the Linux kernel, the following vulnerability has been resolved:

powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()

Smatch warns:

arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap)

The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks.

Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/06/2026

The vulnerability CVE-2024-46774 represents a speculative execution attack surface within the Linux kernel's powerpc architecture implementation, specifically affecting the RTAS (Real-Time Abstract Service) subsystem. This issue resides in the arch/powerpc/kernel/rtas.c file where the __do_sys_rtas() function processes user-supplied data through the sys_rtas() system call interface. The vulnerability manifests as a potential Spectre v1 gadget construction, where attacker-controlled data can influence memory access patterns during speculative execution, potentially enabling information leakage through side-channel attacks. The warning generated by Smatch static analysis tool highlights a critical concern with the 'args.args' variable that is accessed using user-provided indices.

The technical flaw stems from improper handling of user-supplied parameters within the RTAS subsystem where the 'nargs' and 'nret' local variables are directly derived from a user-supplied buffer without adequate protection against speculative execution attacks. These variables are used as array indices into a small stack-based array and as inputs to copy_to_user() operations after undergoing bounds checks. The vulnerability occurs because the kernel fails to properly clamp these indices before they are used in speculative contexts, allowing malicious actors to construct speculative execution gadgets that could leak sensitive information from kernel memory. This particular weakness aligns with CWE-119 Improper Access of Indexable Resource and is classified as a variant of the broader Spectre vulnerability family.

The operational impact of this vulnerability extends across all Linux systems running on powerpc architecture that utilize the RTAS subsystem, particularly affecting systems that rely on real-time abstract services for hardware interaction. Attackers could potentially exploit this vulnerability through crafted RTAS system calls that manipulate the nargs and nret parameters to construct speculative execution paths that bypass normal access controls. The implications include potential information disclosure from kernel memory regions, which could expose sensitive data such as cryptographic keys, system credentials, or other confidential information. This vulnerability is particularly concerning in environments where the RTAS interface is exposed to untrusted users or where system integrity is paramount for security.

Mitigation strategies for CVE-2024-46774 involve implementing proper bounds clamping using the array_index_nospec() function after bounds checks have been performed on user-provided indices. This approach prevents speculative execution from accessing memory beyond intended bounds by ensuring that indices are properly constrained before they are used in speculative contexts. The fix requires modifying the RTAS subsystem code to apply the nospec clamping mechanism to all user-supplied array indices that are used in speculative execution paths. Additionally, system administrators should ensure that the Linux kernel is updated to versions containing the patched implementation, and that appropriate access controls are maintained for RTAS system calls to limit exposure to untrusted users. The mitigation aligns with ATT&CK technique T1059.003 for system shell command execution and represents a defensive measure against speculative execution attacks that are categorized under T1557.001 for hijacking execution flow through processor microarchitectural features.

Responsible

Linux

Reservation

09/11/2024

Disclosure

09/18/2024

Moderation

accepted

CPE

ready

EPSS

0.00241

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!