Linux Kernel Zynqmp Clock Driver Stack-Out-Of-Bounds Vulnerability

A stack-out-of-bounds vulnerability has been identified in the Linux kernel's Zynqmp clock driver. This issue arises because the Linux-ATF interface uses 16 bytes of SMC payload, and if a clock name exceeds 15 bytes, the string is not properly null-terminated when received by Linux. As a result, this can lead to memory corruption or unintended behavior. The vulnerability was reported by KASAN, indicating a bad memory access in the 'strncpy' function, which is commonly used for copying strings in a safe manner.

Impact

The vulnerability can cause a stack-based buffer overflow, where data is written beyond the allocated stack memory. This can lead to memory corruption, potentially allowing for arbitrary code execution or causing a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by using a clock name longer than 15 bytes in the Linux-ATF interface. The Zynqmp clock driver will then receive the truncated name without a proper null terminator, causing a stack-out-of-bounds access. This can be observed by enabling KASAN, which will report the out-of-bounds access.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.