CVE-2024-56662

Summary

CVE-2024-56662 is a vulnerability affecting the Linux kernel. It was identified and reported by syzbot using the KASAN tool. The issue lies in the acpi:nfit module's cmd_to_func function, where the call_pkg variable, which is expected to be a struct nd_cmd_pkg, is not checked for validity before accessing its nd_reserved2 array. This can lead to out-of-bounds access and undefined behavior if call_pkg does not point to a large enough buffer. To mitigate this issue, a check was added in acpi_nfit_ctl to ensure buf is not NULL and buf_len is less than sizeof(*call_pkg) before accessing call_pkg. This modification ensures safe access to call_pkg's members, including the nd_reserved2 array, thereby preventing the out-of-bounds read vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.