CVE-2024-46743: of/irq: Prevent device address out-of-bounds read in interrupt map walk
In the Linux kernel, the following vulnerability has been resolved:
of/irq: Prevent device address out-of-bounds read in interrupt map walk
When of_irq_parse_raw() is invoked with a device address smaller than
the interrupt parent node (from #address-cells property), KASAN detects
the following out-of-bounds read when populating the initial match table
(dyndbg="func of_irq_parse_* +p"):
OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0
OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2
OF: intspec=4
OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2
OF: -> addrsize=3
==================================================================
BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0
Read of size 4 at addr ffffff81beca5608 by task bash/764
CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1
Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023
Call trace:
dump_backtrace+0xdc/0x130
show_stack+0x1c/0x30
dump_stack_lvl+0x6c/0x84
print_report+0x150/0x448
kasan_report+0x98/0x140
__asan_load4+0x78/0xa0
of_irq_parse_raw+0x2b8/0x8d0
of_irq_parse_one+0x24c/0x270
parse_interrupts+0xc0/0x120
of_fwnode_add_links+0x100/0x2d0
fw_devlink_parse_fwtree+0x64/0xc0
device_add+0xb38/0xc30
of_device_add+0x64/0x90
of_platform_device_create_pdata+0xd0/0x170
of_platform_bus_create+0x244/0x600
of_platform_notify+0x1b0/0x254
blocking_notifier_call_chain+0x9c/0xd0
__of_changeset_entry_notify+0x1b8/0x230
__of_changeset_apply_notify+0x54/0xe4
of_overlay_fdt_apply+0xc04/0xd94
...
The buggy address belongs to the object at ffffff81beca5600
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 8 bytes inside of
128-byte region [ffffff81beca5600, ffffff81beca5680)
The buggy address belongs to the physical page:
page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4
head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head|zone=2)
raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================
OF: -> got it !
Prevent the out-of-bounds read by copying the device address into a
buffer of sufficient size.
Security readout for executives and security teams
Plain-English summary
CVE-2024-46743 is a Linux kernel memory-safety bug in device-tree interrupt parsing. A malformed or mismatched device-tree address can make the kernel read past a buffer. Public sources show kernel fixes and downstream advisories, but no CVSS score or confirmed exploitation.
Executive priority
Treat this as a targeted kernel maintenance issue, not an internet-wide emergency based on current evidence. Escalate priority for products where customers, operators, or update mechanisms can influence device-tree overlays.
Technical view
The flaw is in of_irq_parse_raw() during interrupt map walking. If a device address is smaller than the interrupt parent node’s #address-cells value, the initial match table population can trigger a KASAN-detected slab out-of-bounds read. The kernel fix copies the device address into a sufficiently sized buffer.
Likely exposure
Exposure is most likely on Linux systems using affected kernel versions and device-tree based hardware descriptions, especially embedded, appliance, industrial, or ARM-style platforms. Systems that accept or apply device-tree overlays deserve closer review.
Exploitation context
The bundle does not show KEV listing, active exploitation, public exploit use, CVSS, or a clear attacker prerequisite. The observed trace involves device-tree overlay application and KASAN detection, so exploitation context remains incomplete.
Researcher notes
Evidence supports an out-of-bounds read in Open Firmware interrupt parsing and kernel-stable remediations. The bundle does not establish privilege requirements, remote reachability, exploitability beyond read behavior, or practical impact outside affected device-tree parsing paths.
Mitigation direction
Apply vendor kernel updates that include the stable fixes for CVE-2024-46743.
Prioritize embedded, appliance, and industrial Linux systems using device-tree overlays.
Review Debian LTS and Siemens advisories if those ecosystems are in scope.
If no package is available, follow the Linux vendor’s backport guidance.
Restrict who can load or apply device-tree overlays.
Validation and detection
Inventory Linux kernel versions across exposed and embedded assets.
Check vendor changelogs for CVE-2024-46743 or the listed stable commits.
Confirm whether systems use device-tree overlays or custom hardware descriptions.
Review kernel logs for related KASAN or of_irq_parse_raw findings.
Verify downstream advisories applicable to Debian or Siemens-managed products.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46743 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.