The Linux kernel is the core engine behind billions of devices, from servers and laptops, to the smartphone in your hand. Yet, even with all its reliability, sometimes new bugs slip in. In mid-2024, an issue was identified and fixed in the kernel’s Mediatek video driver: CVE-2024-47752. This bug allowed a special coded video stream to crash the device by triggering a NULL pointer dereference—something that always spells trouble in low-level systems like Linux. Let's break down what happened, with code, references, and even how an exploit could work.

What is the Mediatek Vcodec Driver?

Mediatek system-on-chips (SoCs) are everywhere—in phones, TVs, tablets, and smart home devices. Their chips include special hardware blocks for encoding and decoding video. The Linux kernel manages these with drivers under drivers/media/platform/mediatek.

vdec_h264_req_if.c is the source code file that, as its name implies, handles H.264 (“AVC”) decoding requests for this hardware.

The Issue: A Smatch Warning Calls Out a Bug

Smatch is a static code checker that scans C source code to find unsafe patterns, possible bugs or coding mistakes. In this case, when it scanned the Mediatek video decode driver, it noticed something suspicious:

Here’s a simplified version of the buggy code

// Simplified for clarity
static int some_h264_decode_function(struct vdec_h264_inst *inst, struct mtk_vcodec_mem *fb) {
    // ... (some code)
    // fb might be NULL under rare conditions!

    // BAD: This will crash the kernel if fb is NULL
    fb->va = some_value;

    // ... (more code)
}

Smatch would warn:
Dereference after NULL check: potentially dereferencing fb which can be NULL

Why Is This Dangerous?

In Linux kernel space, dereferencing a NULL pointer doesn’t just throw an error—it panics the whole system. If an attacker (or a corrupted video stream) could control what parameters got passed, they could instantly bring down the device.

Exploit Details: How Could Someone Crash the Kernel?

While this isn’t a privilege escalation or remote code execution bug, it’s still a denial of service (DoS) vulnerability. Here’s how an attacker might exploit it:

1. Craft a Malicious Video Stream: The attacker creates a malformed H.264 video stream that, when played, causes the driver to pass a NULL fb (framebuffer) pointer down into the vulnerable function.

Play the Video: The attacker uploads the video to a website, sends it over a messaging app, etc.

3. Trigger the Bug: When the victim’s device tries to decode the video (maybe an app automatically creates a thumbnail), the kernel hits the crash and dies.

Because this affects the kernel, the entire device freezes or reboots—potentially endlessly if some app tries to re-decode the same video at startup.

The Fix: Simple Check, Strong Protection

Linux kernel maintainers fixed the bug by simply checking if fb is NULL before using it. Here’s an illustration of the fixed code:

// Now, check if fb is NULL before using it!
static int some_h264_decode_function(struct vdec_h264_inst *inst, struct mtk_vcodec_mem *fb) {
    if (!fb)
        return -EINVAL;  // Return an error, don't crash

    fb->va = some_value; // Now safe!

    // ... (more code)
}

Now, if the driver is handed a NULL pointer, it *gracefully* fails instead of panicking and rebooting the device.

How Was This Caught?

- The issue was found by kernel contributors running tools like Smatch.
- Credited fix appears as this commit (replace with actual commit link as needed).

- CVE-2024-47752 at NVD
- Linux kernel commit: Fix H264 stateless decoder smatch warning
- Smatch static checker
- Linux drivers/media/platform/mediatek

What Should You Do?

If you maintain a device or kernel that supports Mediatek hardware video decoding:

Upgrade to a Linux kernel version that includes this patch (after May 2024).

- If you're an app developer, make sure all devices have up-to-date kernels—especially if you ever decode user-supplied video.

For end users:
- Regularly update your OS! Most Android phones and Chromebooks with Mediatek chips will pick this up automatically, but updates matter.

Conclusion

CVE-2024-47752 is a great example of a “small” bug that could have an outsized impact. Through careful code review and automated tools like Smatch, the Linux community keeps the kernel safe—even in code that only triggers by weird or unlucky cases. Remember: That next video you download isn’t just cat memes. It could be a crash-in-waiting, unless your devices are up to date!

Timeline

Published on: 10/21/2024 13:15:05 UTC
Last modified on: 11/19/2024 01:09:29 UTC