CVE-2024-58080: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: clk: qcom: dispcc-sm6350: Add missing parent_map for a clock If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for the clock where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together.
AI Analysis
Technical Summary
CVE-2024-58080 is a vulnerability identified in the Linux kernel, specifically within the Qualcomm clock driver for the SM6350 chipset (dispcc-sm6350). The issue arises because the clk_rcg2 clock structure, when having a parent clock, lacks a defined parent_map property. The parent_map is essential for correctly mapping parent clocks to their respective indices. Without this mapping, the kernel encounters a NULL pointer dereference when the clk_set_rate function is invoked. This leads to a kernel crash or panic, as demonstrated by the call trace provided, which shows the failure occurring during the frequency determination and clock rate setting routines. The root cause is a missing parent_map property and the inlining of parent_data, which should be kept together with parent_map to maintain consistency. The fix involves adding the missing parent_map property and un-inlining the parent_data to ensure proper association. This vulnerability is a logic error in the clock framework of the Linux kernel and can cause denial of service (DoS) by crashing the kernel when certain clock rate changes are attempted. The affected versions are identified by specific commit hashes, indicating this is a recent and targeted fix. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-58080 primarily revolves around system stability and availability. Systems running Linux kernels with the affected Qualcomm SM6350 clock driver could experience kernel panics or crashes when the clock rate is set or changed, potentially leading to unexpected downtime. This is particularly relevant for embedded systems, mobile devices, or network equipment using this chipset and Linux kernel version. Critical infrastructure or industrial control systems relying on affected hardware could face operational disruptions. Although this vulnerability does not directly lead to privilege escalation or data leakage, the denial of service caused by kernel crashes can interrupt business operations, degrade service availability, and increase maintenance costs. Organizations with large Linux deployments, especially those using Qualcomm-based hardware, may need to prioritize patching to avoid service interruptions. Since no exploits are known in the wild, the immediate risk is moderate, but the potential for future exploitation to cause targeted DoS attacks exists.
Mitigation Recommendations
To mitigate CVE-2024-58080, European organizations should: 1) Identify all systems running Linux kernels with Qualcomm SM6350 chipset support, particularly those using the dispcc-sm6350 clock driver. 2) Apply the official Linux kernel patches that add the missing parent_map property and correct the parent_data inlining as soon as they become available in stable kernel releases or backports. 3) For embedded or custom Linux distributions, coordinate with vendors or maintainers to integrate the fix promptly. 4) Implement monitoring for kernel panics or clock-related errors to detect potential exploitation attempts or system instability early. 5) Where possible, restrict access to systems that can trigger clock rate changes to trusted administrators to reduce accidental or malicious triggering of the vulnerability. 6) Test patches in staging environments before deployment to ensure compatibility and stability. 7) Maintain updated inventories of hardware and kernel versions to quickly assess exposure to this vulnerability in future audits.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-58080: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: clk: qcom: dispcc-sm6350: Add missing parent_map for a clock If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for the clock where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together.
AI-Powered Analysis
Technical Analysis
CVE-2024-58080 is a vulnerability identified in the Linux kernel, specifically within the Qualcomm clock driver for the SM6350 chipset (dispcc-sm6350). The issue arises because the clk_rcg2 clock structure, when having a parent clock, lacks a defined parent_map property. The parent_map is essential for correctly mapping parent clocks to their respective indices. Without this mapping, the kernel encounters a NULL pointer dereference when the clk_set_rate function is invoked. This leads to a kernel crash or panic, as demonstrated by the call trace provided, which shows the failure occurring during the frequency determination and clock rate setting routines. The root cause is a missing parent_map property and the inlining of parent_data, which should be kept together with parent_map to maintain consistency. The fix involves adding the missing parent_map property and un-inlining the parent_data to ensure proper association. This vulnerability is a logic error in the clock framework of the Linux kernel and can cause denial of service (DoS) by crashing the kernel when certain clock rate changes are attempted. The affected versions are identified by specific commit hashes, indicating this is a recent and targeted fix. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-58080 primarily revolves around system stability and availability. Systems running Linux kernels with the affected Qualcomm SM6350 clock driver could experience kernel panics or crashes when the clock rate is set or changed, potentially leading to unexpected downtime. This is particularly relevant for embedded systems, mobile devices, or network equipment using this chipset and Linux kernel version. Critical infrastructure or industrial control systems relying on affected hardware could face operational disruptions. Although this vulnerability does not directly lead to privilege escalation or data leakage, the denial of service caused by kernel crashes can interrupt business operations, degrade service availability, and increase maintenance costs. Organizations with large Linux deployments, especially those using Qualcomm-based hardware, may need to prioritize patching to avoid service interruptions. Since no exploits are known in the wild, the immediate risk is moderate, but the potential for future exploitation to cause targeted DoS attacks exists.
Mitigation Recommendations
To mitigate CVE-2024-58080, European organizations should: 1) Identify all systems running Linux kernels with Qualcomm SM6350 chipset support, particularly those using the dispcc-sm6350 clock driver. 2) Apply the official Linux kernel patches that add the missing parent_map property and correct the parent_data inlining as soon as they become available in stable kernel releases or backports. 3) For embedded or custom Linux distributions, coordinate with vendors or maintainers to integrate the fix promptly. 4) Implement monitoring for kernel panics or clock-related errors to detect potential exploitation attempts or system instability early. 5) Where possible, restrict access to systems that can trigger clock rate changes to trusted administrators to reduce accidental or malicious triggering of the vulnerability. 6) Test patches in staging environments before deployment to ensure compatibility and stability. 7) Maintain updated inventories of hardware and kernel versions to quickly assess exposure to this vulnerability in future audits.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-06T15:52:09.183Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde311
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 5:56:53 AM
Last updated: 8/5/2025, 1:04:15 PM
Views: 13
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.