HIGH Published 2026-01-14

clk Samsung Exynos Array Bounds

CVE-2025-71143

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialization because the number of elements is zero. This occurs in exynos_clkout_probe() due to .num being assigned after .hws[] has been accessed: UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18 index 0 is out of range for type 'clk_hw *[*]' Move the .num initialization to before the first access of .hws[], clearing up the warning.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

This vulnerability causes kernel bounds checking warnings when accessing clock hardware arrays on Samsung Exynos systems. While classified as high severity due to potential for undefined behavior, it's primarily a code quality issue that triggers during system initialization when bounds sanitization is enabled. The fix ensures proper initialization order to satisfy compiler annotations.

Affecteddrivers/clk/samsung/clk-exynos-clkout.c

Vulnerability analysis

Root Cause: The __counted_by annotation on struct clk_hw_onecell_data.hws requires the .num field to be initialized before any array access, but the code was accessing .hws[0] before setting .num, causing UBSAN bounds checking to fail since it saw the array size as zero.

Attack Surface: This is a local vulnerability that requires kernel code execution context. The issue manifests during device probe/initialization when UBSAN bounds checking is enabled, making it primarily a development/debugging issue rather than a runtime exploit vector.

Fix Mechanism: The patch moves the assignment of clkout->data.num = EXYNOS_CLKOUT_NR_CLKS to occur before the first access to clkout->data.hws[0], ensuring the bounds checker knows the correct array size when the access happens.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.64	`eb1f3a6ab3ef`
6.18	6.18.4	`a317f63255eb`
6.6	6.6.120	`fbf57f5e453d`
mainline	6.19	`cf33f0b7df13`