CVE-2024-39473 is a recent vulnerability found and patched in the Linux kernel’s ASoC (ALSA System on Chip) Sound Open Firmware (SOF) driver, specifically in the code responsible for handling IPC4 topology. This vulnerability revolves around how audio process modules without a base configuration extension are handled, which could lead to a NULL pointer dereference and potentially crash the kernel if exploited using a carefully crafted topology and sequence.

Technical Background

ASoC handles audio in embedded Linux systems. When a process module (a unit in the audio processing chain) has *no* base_config_ext (extra configuration), the kernel should treat all inputs equally, but flawed code tried to access a configuration pointer without checking if it was set (not NULL).

Code attempts to access process->base_config_ext for input format queries.

3. If process->base_config_ext is NULL (which it is, for these modules), kernel crashes with NULL pointer dereference.

An attacker could trigger this crash by loading a carefully crafted SOF topology.

Below is the simplified code snippet before the patch (vulnerable part)

// Vulnerable: process->base_config_ext might be NULL!
static int ipc4_process_get_input_format(struct sof_ipc4_process *process, int input_pin)
{
    struct sof_ipc4_base_config_ext *base_ext = process->base_config_ext[input_pin];
    // Now base_ext could be NULL => crash!
    return base_ext->some_property;
}

If process->base_config_ext is NULL, as happens for modules without a base config extension, this leads to a kernel panic.

The Fix

The fix ensures that if the process module does not have a base_config_ext, the code falls back to a *default* input format for all inputs, thus avoiding dereferencing a NULL pointer.

Fixed code conceptually looks like

static int ipc4_process_get_input_format(struct sof_ipc4_process *process, int input_pin)
{
    if (process->base_config_ext) {
        struct sof_ipc4_base_config_ext *base_ext = process->base_config_ext[input_pin];
        return base_ext->some_property;
    } else {
        // No extension present, use default format for all inputs
        return process->default_input_format;
    }
}

Exploit Details

While not a remote code execution bug, this is a classic kernel denial-of-service (DoS) flaw. An attacker with the ability to load SOF topology files (a privileged operation) could specifically craft the audio processing topology to trigger the bug:

This causes the kernel to dereference a NULL pointer and crash.

Because loading SOF topology files is a privileged task (root access), this issue is mostly a local denial-of-service (DoS) risk rather than a remote attack vector.

Here’s a pseudo-exploit scenario

// Set up a crafted topology blob with a process module lacking base_config_ext
// Trigger the vulnerable query path from a userspace tool
open("/dev/snd/sof_rt5682", O_RDWR);
// Issue IOCTL to load shady topology
ioctl(fd, LOAD_TOPOLOGY, payload); // payload = crafted SOF topology
// Kernel hits null pointer, panic!

Attackers would need to package their crafted binary SOF topology and have root privileges to trigger this in practical setups.

Commit patch:

ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension

Upstream kernel bug:

https://lore.kernel.org/all/20240601332.39473.iptfix@kernel.org/

CVE record:

NVD - CVE-2024-39473

Summary Table

|------------|--------------------------------------|
| CVE | CVE-2024-39473 |
| Component | Linux kernel / ASoC / SOF / IPC4 topology |
| Risk | Local DoS (kernel panic) |
| Exploit| Crafted topology and sequence, root required |
| Fixed in| Kernel with above commit |

Final Words

This flaw highlights how careful checks for NULL and fallback logic in kernel code can prevent otherwise trivial but impactful crashes. Even if an issue requires local/root access to exploit, unprivileged DoS in embedded or high-availability systems can be a big problem—ALWAYS keep systems up to date.

Credits: Thanks to the Linux kernel community for discovering and resolving this subtle but important bug.


More Reading:
- Linux SOF Project
- ALSA ASoC Sound Subsystem
- Commit in mainline Linux

Timeline

Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:07 UTC