CVE-2024-42074: ASoC amd acp Linux Kernel Vulnerability Resolution - Avoiding Null Pointer Dereference in the Audio Subsystem

A vulnerability has been discovered in the Linux kernel, specifically the Advanced Linux Sound Architecture (ALSA) System on a Chip (ASoC) layer, which is used for managing ALSA hardware drivers for audio devices on the system. The vulnerability has been assigned the identifier CVE-2024-42074 and has been resolved by adding a null-check to prevent null pointer dereference in the audio subsystem's Audio Control Processor (ACP) code. This post will detail the vulnerability and provide an outline of the solution. The original reference can be found on the Linux kernel mailing list here.

Vulnerability Details

The vulnerability exists in the ASoC subsystem of the Linux kernel, which handles ALSA hardware drivers for audio devices. In the case of a platform device not being created, the chip->chip_pdev value will remain NULL. The chip->chip_pdev value is accessed in the snd_acp_resume() function of the ASoC layer, without proper null checking in place. If the pointer is dereferenced while holding the NULL value, it could lead to a kernel crash or other undefined behavior.

Firstly, let's have a look at the function where the vulnerability exists

static int snd_acp_resume(struct device *dev)
{
	struct platform_device *pdev;
	struct snd_acp *chip;

	pdev = to_platform_device(dev);
	chip = dev_get_drvdata(&pdev->dev);
	dev_dbg(dev, "%s: audio clk device is resumed\n", __func__);

	/* ... code ... */

	return ;
}

Here, we can see that chip is obtained from dev_get_drvdata() in the snd_acp_resume() function. Since there is no check in place to make sure that the value of the chip->chip_pdev is not NULL, this can lead to null pointer dereference when the function is called.

Exploit Details

An attacker with local access to the affected system can potentially exploit this vulnerability by manipulating audio settings or utilizing specific audio device configurations to trigger the snd_acp_resume() function with a NULL chip->chip_pdev. This can result in a kernel crash or other undefined behavior, impacting the stability and security of the system.

Resolution

This patch for the Linux kernel's ASoC subsystem includes a fix for the vulnerability by adding a null check for the chip->chip_pdev value before dereferencing it in the snd_acp_resume() function.

Here is the updated version of the snd_acp_resume() function after applying the patch

static int snd_acp_resume(struct device *dev)
{
	struct platform_device *pdev;
	struct snd_acp *chip;

	pdev = to_platform_device(dev);
	chip = dev_get_drvdata(&pdev->dev);
	dev_dbg(dev, "%s: audio clk device is resumed\n", __func__);

	if (!chip->chip_pdev)
		return -ENODEV;

	/* ... code ... */

	return ;
}

With the added null check, the vulnerability has been resolved, and it is no longer possible for an attacker to trigger a null pointer dereference in the snd_acp_resume() function.

Conclusion

The CVE-2024-42074 vulnerability in the Linux kernel's ASoC subsystem allowed for null pointer dereference situations that could lead to kernel crashes or other undefined behavior. The fix, as demonstrated in the provided patch, adds a null-check to prevent this dereference from occurring in the snd_acp_resume() function. Implementing this security patch is essential for maintaining system stability and security, especially in audio subsystems.

Timeline

Published on: 07/29/2024 16:15:06 UTC
Last modified on: 08/02/2024 04:54:32 UTC