1.9 KiB
CVE-2024-27006
Description
In the Linux kernel, the following vulnerability has been resolved:thermal/debugfs: Add missing count increment to thermal_debug_tz_trip_up()The count field in struct trip_stats, representing the number of timesthe zone temperature was above the trip point, needs to be incrementedin thermal_debug_tz_trip_up(), for two reasons.First, if a trip point is crossed on the way up for the first time,thermal_debug_update_temp() called from update_temperature() doesnot see it because it has not been added to trips_crossed[] arrayin the thermal zone's struct tz_debugfs object yet. Therefore, whenthermal_debug_tz_trip_up() is called after that, the trip point'scount value is 0, and the attempt to divide by it during the averagetemperature computation leads to a divide error which causes the kernelto crash. Setting the count to 1 before the division by incrementing itfixes this problem.Second, if a trip point is crossed on the way up, but it has beencrossed on the way up already before, its count value needs to beincremented to make a record of the fact that the zone temperature isabove the trip now. Without doing that, if the mitigations appliedafter crossing the trip cause the zone temperature to drop below itsthreshold, the count will not be updated for this episode at all andthe average temperature in the trip statistics record will be somewhathigher than it should be.Cc :6.8+ stable@vger.kernel.org # 6.8+
POC
Reference
No PoCs from references.