Listen to this Post
How CVE-2025-39728 Works:
This vulnerability occurs in the Linux kernel’s Samsung clock driver (clk: samsung) when UBSAN (Undefined Behavior Sanitizer) array bounds checking is enabled. The issue stems from improper initialization order in `samsung_clk_init()` where `ctx->clk_data.hws` is dereferenced before setting ctx->clk_data.num = nr_clks. This leads to an array index out-of-bounds access when UBSAN_ARRAY_BOUNDS=y, causing kernel panic. The flaw specifically affects ARM64 Exynos processors during clock management unit (CMU) initialization, particularly in GS101 chipset implementations. The crash occurs during early boot sequence when registering clock controllers.
DailyCVE Form:
Platform: Linux Kernel
Version: 5.10+
Vulnerability: Array bounds violation
Severity: Medium
date: 04/18/2025
What Undercode Say:
Exploit Analysis:
1. Requires UBSAN_ARRAY_BOUNDS=y config
2. Triggered during CMU initialization
3. Leads to kernel panic (DoS)
4. Affects Exynos ARM64 platforms
5. Exploitable via malicious clock config
Protection Commands:
Check if vulnerable: grep -r "samsung_clk_init" /sys/kernel/debug/clk/ Patch verification: uname -r | grep "5.15.94" Temporary mitigation: echo 0 > /proc/sys/kernel/panic_on_oops
Code Fix Example:
// Correct initialization order: ctx->clk_data.num = nr_clks; ctx->clk_data.hws = kcalloc(nr_clks, sizeof(ctx->clk_data.hws), GFP_KERNEL);
Debugging Commands:
Check UBSAN reports: dmesg | grep UBSAN Verify kernel config: zcat /proc/config.gz | grep UBSAN_ARRAY_BOUNDS List affected clock controllers: ls /sys/kernel/debug/clk/exynos
Kernel Patch:
a/drivers/clk/samsung/clk.c +++ b/drivers/clk/samsung/clk.c @@ -123,8 +123,8 @@ void __init samsung_clk_init(struct device_node np, ctx->reg_base = base; ctx->clk_data.clks = clk_table; ctx->clk_data.clk_num = nr_clks; + ctx->clk_data.num = nr_clks; ctx->clk_data.hws = hw_table; - ctx->clk_data.num = nr_clks; ctx->nr_clks = nr_clks; ctx->nr_hw_clks = nr_hw_clks;
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
