CVE-2024-43825

When the gts->itimetable[i].timeus is zero, e.g., the time sequence is 3, 0, 1, the inner for-loop will not terminate and do out-of-bound writes. This is because once times[j] > new, the value new will be added in the current position and the times[j] will be moved to j+1 position, which makes the if-condition always hold. Meanwhile, idx will be added one, making the loop keep running without termination and out-of-bound write.
If none of the gts->itimetable[i].timeus is zero, the elements will just be copied without being sorted as described in the comment "Sort times from all tables to one and remove duplicates".

For more details, please refer to https://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

38416c28e16890b52fdd5eb73479299ec3f062f3

Fixed

31ff8464ef540785344994986a010031410f9ff3

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

38416c28e16890b52fdd5eb73479299ec3f062f3

Fixed

b5046de32fd1532c3f67065197fc1da82f0b5193

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

38416c28e16890b52fdd5eb73479299ec3f062f3

Fixed

5acc3f971a01be48d5ff4252d8f9cdb87998cdfb

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.2

v6.3

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@31ff8464ef540785344994986a010031410f9ff3",
        "id": "CVE-2024-43825-09ba4c1a",
        "target": {
            "file": "drivers/iio/industrialio-gts-helper.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "127060211763066042753704345674454525777",
                "121629038936822160852457435216844718189",
                "73205434750768244714729114203199563555",
                "272646699128014812104408896779830663627",
                "73867400717754448675790539486444402580",
                "88845988432148939598236903912073364030",
                "38365844261694626424864076644766173285",
                "328693112997514189870923168067452265037",
                "108141469629790537439416508136015864998",
                "252498574320474132332644259398011607114",
                "312561577511945557273063792263525278127",
                "16088316066663513270661286528588105956",
                "227639465630318890389508663619922496819"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5acc3f971a01be48d5ff4252d8f9cdb87998cdfb",
        "id": "CVE-2024-43825-1f05f6bc",
        "target": {
            "function": "iio_gts_build_avail_time_table",
            "file": "drivers/iio/industrialio-gts-helper.c"
        },
        "deprecated": false,
        "digest": {
            "length": 832.0,
            "function_hash": "299145870891090607900794959029133546921"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b5046de32fd1532c3f67065197fc1da82f0b5193",
        "id": "CVE-2024-43825-63198d3e",
        "target": {
            "file": "drivers/iio/industrialio-gts-helper.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "127060211763066042753704345674454525777",
                "121629038936822160852457435216844718189",
                "73205434750768244714729114203199563555",
                "272646699128014812104408896779830663627",
                "73867400717754448675790539486444402580",
                "88845988432148939598236903912073364030",
                "38365844261694626424864076644766173285",
                "328693112997514189870923168067452265037",
                "108141469629790537439416508136015864998",
                "252498574320474132332644259398011607114",
                "312561577511945557273063792263525278127",
                "16088316066663513270661286528588105956",
                "227639465630318890389508663619922496819"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b5046de32fd1532c3f67065197fc1da82f0b5193",
        "id": "CVE-2024-43825-8260320f",
        "target": {
            "function": "iio_gts_build_avail_time_table",
            "file": "drivers/iio/industrialio-gts-helper.c"
        },
        "deprecated": false,
        "digest": {
            "length": 832.0,
            "function_hash": "299145870891090607900794959029133546921"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@31ff8464ef540785344994986a010031410f9ff3",
        "id": "CVE-2024-43825-b8531290",
        "target": {
            "function": "iio_gts_build_avail_time_table",
            "file": "drivers/iio/industrialio-gts-helper.c"
        },
        "deprecated": false,
        "digest": {
            "length": 832.0,
            "function_hash": "299145870891090607900794959029133546921"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5acc3f971a01be48d5ff4252d8f9cdb87998cdfb",
        "id": "CVE-2024-43825-df96e2fb",
        "target": {
            "file": "drivers/iio/industrialio-gts-helper.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "127060211763066042753704345674454525777",
                "121629038936822160852457435216844718189",
                "73205434750768244714729114203199563555",
                "272646699128014812104408896779830663627",
                "73867400717754448675790539486444402580",
                "88845988432148939598236903912073364030",
                "38365844261694626424864076644766173285",
                "328693112997514189870923168067452265037",
                "108141469629790537439416508136015864998",
                "252498574320474132332644259398011607114",
                "312561577511945557273063792263525278127",
                "16088316066663513270661286528588105956",
                "227639465630318890389508663619922496819"
            ]
        },
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.44

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.10.3