{"id":"CVE-2024-40974","summary":"powerpc/pseries: Enforce hcall result buffer validity and size","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Enforce hcall result buffer validity and size\n\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\n\nFor example, if I write a bug like this:\n\n  long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n  plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\n\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\n\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\n\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n   60 |                 plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n      |                 ^                                   ~~~~~~\n\n[1] Enabled for LLVM builds but not GCC for now. See commit\n    0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\n    related changes.","modified":"2026-04-02T12:17:22.794682Z","published":"2024-07-12T12:32:11.417Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40974.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/19c166ee42cf16d8b156a6cb4544122d9a65d3ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/262e942ff5a839b9e4f3302a8987928b0c8b8a2d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3ad0034910a57aa88ed9976b1431b7b8c84e0048"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8aa11aa001576bf3b00dcb8559564ad7a3113588"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a8c988d752b3d98d5cc1e3929c519a55ef55426c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa6107dcc4ce9a3451f2d729204713783b657257"},{"type":"WEB","url":"https://git.kernel.org/stable/c/acf2b80c31c37acab040baa3cf5f19fbd5140b18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff2e185cf73df480ec69675936c4ee75a445c3e4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40974.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40974"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b9377ffc3a03cde558d76349a262a1adbb6d3112"},{"fixed":"acf2b80c31c37acab040baa3cf5f19fbd5140b18"},{"fixed":"19c166ee42cf16d8b156a6cb4544122d9a65d3ca"},{"fixed":"a8c988d752b3d98d5cc1e3929c519a55ef55426c"},{"fixed":"262e942ff5a839b9e4f3302a8987928b0c8b8a2d"},{"fixed":"8aa11aa001576bf3b00dcb8559564ad7a3113588"},{"fixed":"3ad0034910a57aa88ed9976b1431b7b8c84e0048"},{"fixed":"aa6107dcc4ce9a3451f2d729204713783b657257"},{"fixed":"ff2e185cf73df480ec69675936c4ee75a445c3e4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40974.json"}}],"schema_version":"1.7.5"}