CVE-2024-35842: ASoC Mediatek SOF-Common Vulnerability Resolved in Linux Kernel

A crucial vulnerability has been detected and resolved in the Linux kernel. This vulnerability affects the Advanced Linux Sound Architecture (ALSA) System on a Chip (ASoC) component, which could lead to potential risks for users operating on specific MediaTek devices.

The Linux kernel is responsible for managing crucial components of a system's operation, which makes addressing vulnerabilities especially paramount. The CVE-2024-35842 is related to the ASoC component within Linux kernel, particularly in the MediaTek subsystem.

The ASoC subsystem's vulnerability

The vulnerable component within the Linux kernel is located in the ASoC MediaTek subsystem. Specifically, it is linked to the Sound Open Firmware (SOF) common component. This vulnerability resides in the NULL check of the normal_link string in the struct sof_conn_stream entries.

Not all entries of the sof_conn_stream structure necessarily contain a normal_link string, especially when MediaTek devices support only SOF paths and no direct path. An example of this is the MediaTek MT8188 device, which utilizes entries without a normal_link string.

The potential risks

If left unaddressed, this vulnerability could cause the kernel to panic when faced with a NULL pointer KP. As kernel panics are often unrecoverable, this could result in a sudden system crash or unstable performance.

The solution

To resolve this vulnerability, developers have introduced a NULL check for the normal_link string, as shown in the code snippet below:

if (normal_link) {
	/* Initialize normal link related variables */
	...
}

By adding the NULL check, the kernel will no longer encounter unexpected NULL pointers, thus preventing system crashes or performance issues.

- ASoC: mediatek: sof-common: Add NULL check for normal_link string

Exploit details

There is no known exploit as of now for this vulnerability. However, it is essential to apply the patch as soon as possible to prevent any potential risks associated with this issue.

Conclusion

This post has provided a summary of the CVE-2024-35842 vulnerability, which has now been resolved in the Linux kernel. By applying the relevant patch and adding a NULL check for normal_link, your MediaTek-powered devices will be more secure, avoiding possible NULL pointer KPs and system stability issues.

Timeline

Published on: 05/17/2024 15:15:21 UTC
Last modified on: 05/29/2024 05:29:56 UTC