CVE-2024-6563 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-6563 Interim 1 4 2025-05-01T00:00:20Z current 2024-07-09T23:17:56Z 2025-05-01T00:00:20Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-6563 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C . In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of "dst" will be written to the area immediately after the buffer, which is "addr_loaded_cnt". This will allow an attacker to freely control the value of "addr_loaded_cnt" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value ("len") they desire. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 arm-trusted-firmware arm-trusted-firmware-tools arm-trusted-firmware as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS arm-trusted-firmware-tools as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS arm-trusted-firmware as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS arm-trusted-firmware-tools as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS arm-trusted-firmware as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 arm-trusted-firmware-tools as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 arm-trusted-firmware as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 arm-trusted-firmware-tools as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 arm-trusted-firmware as a component of SUSE Linux Enterprise Server 15 SP4-LTSS arm-trusted-firmware-tools as a component of SUSE Linux Enterprise Server 15 SP4-LTSS arm-trusted-firmware as a component of openSUSE Leap 15.5 arm-trusted-firmware-tools as a component of openSUSE Leap 15.5 arm-trusted-firmware as a component of openSUSE Leap 15.6 arm-trusted-firmware-tools as a component of openSUSE Leap 15.6 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C . In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of "dst" will be written to the area immediately after the buffer, which is "addr_loaded_cnt". This will allow an attacker to freely control the value of "addr_loaded_cnt" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value ("len") they desire. CVE-2024-6563 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:arm-trusted-firmware SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:arm-trusted-firmware-tools SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:arm-trusted-firmware SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:arm-trusted-firmware-tools SUSE Linux Enterprise Module for Basesystem 15 SP5:arm-trusted-firmware SUSE Linux Enterprise Module for Basesystem 15 SP5:arm-trusted-firmware-tools SUSE Linux Enterprise Module for Basesystem 15 SP6:arm-trusted-firmware SUSE Linux Enterprise Module for Basesystem 15 SP6:arm-trusted-firmware-tools SUSE Linux Enterprise Server 15 SP4-LTSS:arm-trusted-firmware SUSE Linux Enterprise Server 15 SP4-LTSS:arm-trusted-firmware-tools openSUSE Leap 15.5:arm-trusted-firmware openSUSE Leap 15.5:arm-trusted-firmware-tools openSUSE Leap 15.6:arm-trusted-firmware openSUSE Leap 15.6:arm-trusted-firmware-tools moderate 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H