CVE-2024-56685

Published: Dic 28, 2024 Last Modified: Set 26, 2025 EU-VD ID: EUVD-2024-53333

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,5

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

ASoC: mediatek: Check num_codecs is not zero to avoid panic during probe

Following commit 13f58267cda3 ('ASoC: soc.h: don't create dummy
Component via COMP_DUMMY()'), COMP_DUMMY() became an array with zero
length, and only gets populated with the dummy struct after the card is
registered. Since the sound card driver's probe happens before the card
registration, accessing any of the members of a dummy component during
probe will result in undefined behavior.

This can be observed in the mt8188 and mt8195 machine sound drivers. By
omitting a dai link subnode in the sound card's node in the Devicetree,
the default uninitialized dummy codec is used, and when its dai_name
pointer gets passed to strcmp() it results in a null pointer dereference
and a kernel panic.

In addition to that, set_card_codec_info() in the generic helpers file,
mtk-soundcard-driver.c, will populate a dai link with a dummy codec when
a dai link node is present in DT but with no codec property.

The result is that at probe time, a dummy codec can either be
uninitialized with num_codecs = 0, or be an initialized dummy codec,
with num_codecs = 1 and dai_name = 'snd-soc-dummy-dai'. In order to
accommodate for both situations, check that num_codecs is not zero
before accessing the codecs' fields but still check for the codec's dai
name against 'snd-soc-dummy-dai' as needed.

While at it, also drop the check that dai_name is not null in the mt8192
driver, introduced in commit 4d4e1b6319e5 ('ASoC: mediatek: mt8192:
Check existence of dai_name before dereferencing'), as it is actually
redundant given the preceding num_codecs != 0 check.

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

ASoC: mediatek: Verifica che num_codecs non sia zero per evitare panic durante il probe

A seguito del commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()"), COMP_DUMMY() è diventato un array con lunghezza zero, e viene popolato con la struct dummy solo dopo la registrazione della scheda. Poiché il probe del driver della scheda audio avviene prima della registrazione della scheda, l'accesso a qualsiasi membro di un componente dummy durante il probe può causare comportamento indefinito.

Questo può essere osservato nei driver audio delle macchine mt8188 e mt8195. Ommettendo un sotto-nodo di dai link nella node della scheda audio nel Devicetree, viene utilizzato il codec dummy di default non inizializzato, e quando il puntatore dai_name viene passato a strcmp() si verifica un dereference di puntatore nullo e un kernel panic.

Inoltre, set_card_codec_info() nel file helper generico, mtk-soundcard-driver.c, popola un dai link con un codec dummy quando nel DT è presente un nodo dai link ma senza proprietà codec.

Il risultato è che al momento del probe, un codec dummy può essere o non inizializzato con num_codecs = 0, oppure essere un codec dummy inizializzato, con num_codecs = 1 e dai_name = "snd-soc-dummy-dai". Per gestire entrambe le situazioni, si deve verificare che num_codecs non sia zero prima di accedere ai campi dei codec, ma comunque confrontare il dai_name con "snd-soc-dummy-dai" come necessario.

Durante questa verifica, si elimina anche il controllo che dai_name non sia null nel driver mt8192, introdotto nel commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: Check existence of dai_name before dereferencing"), in quanto ridondante dato il precedente controllo che num_codecs != 0.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0003

Percentile

0,1th

Updated

EPSS Score Trend (Last 90 Days)

908

Use of Uninitialized Resource

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Availability

Potential Impacts:

Read Memory Read Application Data Dos: Crash, Exit, Or Restart

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: Medium

View CWE Details

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.12 (inclusive)

To 6.12.2 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.8 (inclusive)

To 6.11.11 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://git.kernel.org/stable/c/2f2020327cc8561d7c520d2f2d9…

https://git.kernel.org/stable/c/2f2020327cc8561d7c520d2f2d9acea84fa7b3a3

https://git.kernel.org/stable/c/376f4800f34a28def026ff5c5d4…

https://git.kernel.org/stable/c/376f4800f34a28def026ff5c5d4fc5e54e1744ff

https://git.kernel.org/stable/c/550279449ff54c5aa28cfca5c56…

https://git.kernel.org/stable/c/550279449ff54c5aa28cfca5c567308cbfb145f0

CVE-2024-56685

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Use of Uninitialized Resource

Common Consequences

Applicable Platforms

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Iscriviti alla newsletter