CVE-2024-27003: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-27003 affects the Linux kernel's clock (clk) subsystem. The vulnerability was discovered in the runtime power management functionality when accessing clock summary information through debugfs. The issue affects Linux kernel versions from 5.17 up to (excluding) 6.1.88, 6.2 to 6.6.29, 6.7 to 6.8.8, and 6.9 release candidates (rc1-rc4). The vulnerability was disclosed on May 1, 2024 (NVD).

The vulnerability stems from improper handling of runtime power management (PM) when walking the clock tree for clksummary through debugfs. The issue occurs because the code did not properly ensure all devices were runtime resumed before printing the clock summary, and the return value of clkpmruntimeget() wasn't checked, which could lead to a runtime PM count underflow on error paths. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in a deadlock condition if a thread is attempting to resume a device to print clock state while that same device is being runtime resumed in another thread. A typical scenario would be when the screen is turning on and the display driver is starting up. This can lead to a denial of service condition, affecting system availability (Kernel Patch).

The vulnerability has been patched in the Linux kernel by modifying the clock subsystem to ensure all devices are runtime resumed before printing the clksummary through debugfs. The fix removes superfluous calls to clkpmruntime{get,put}() and properly handles the return value of clkpmruntime_get(). Users should update to kernel versions 6.1.88, 6.6.29, or 6.8.8 or later, depending on their kernel series (Kernel Patch).