fkie_cve-2024-56685
Vulnerability from fkie_nvd
Published
2024-12-28 10:15
Modified
2024-12-28 10:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: Check num_codecs is not zero to avoid panic during probe Following commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()"), COMP_DUMMY() became an array with zero length, and only gets populated with the dummy struct after the card is registered. Since the sound card driver's probe happens before the card registration, accessing any of the members of a dummy component during probe will result in undefined behavior. This can be observed in the mt8188 and mt8195 machine sound drivers. By omitting a dai link subnode in the sound card's node in the Devicetree, the default uninitialized dummy codec is used, and when its dai_name pointer gets passed to strcmp() it results in a null pointer dereference and a kernel panic. In addition to that, set_card_codec_info() in the generic helpers file, mtk-soundcard-driver.c, will populate a dai link with a dummy codec when a dai link node is present in DT but with no codec property. The result is that at probe time, a dummy codec can either be uninitialized with num_codecs = 0, or be an initialized dummy codec, with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order to accommodate for both situations, check that num_codecs is not zero before accessing the codecs' fields but still check for the codec's dai name against "snd-soc-dummy-dai" as needed. While at it, also drop the check that dai_name is not null in the mt8192 driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192: Check existence of dai_name before dereferencing"), as it is actually redundant given the preceding num_codecs != 0 check.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2f2020327cc8561d7c520d2f2d9acea84fa7b3a3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/376f4800f34a28def026ff5c5d4fc5e54e1744ff
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/550279449ff54c5aa28cfca5c567308cbfb145f0
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Check num_codecs is not zero to avoid panic during probe\n\nFollowing commit 13f58267cda3 (\"ASoC: soc.h: don\u0027t create dummy\nComponent via COMP_DUMMY()\"), COMP_DUMMY() became an array with zero\nlength, and only gets populated with the dummy struct after the card is\nregistered. Since the sound card driver\u0027s probe happens before the card\nregistration, accessing any of the members of a dummy component during\nprobe will result in undefined behavior.\n\nThis can be observed in the mt8188 and mt8195 machine sound drivers. By\nomitting a dai link subnode in the sound card\u0027s node in the Devicetree,\nthe default uninitialized dummy codec is used, and when its dai_name\npointer gets passed to strcmp() it results in a null pointer dereference\nand a kernel panic.\n\nIn addition to that, set_card_codec_info() in the generic helpers file,\nmtk-soundcard-driver.c, will populate a dai link with a dummy codec when\na dai link node is present in DT but with no codec property.\n\nThe result is that at probe time, a dummy codec can either be\nuninitialized with num_codecs = 0, or be an initialized dummy codec,\nwith num_codecs = 1 and dai_name = \"snd-soc-dummy-dai\". In order to\naccommodate for both situations, check that num_codecs is not zero\nbefore accessing the codecs\u0027 fields but still check for the codec\u0027s dai\nname against \"snd-soc-dummy-dai\" as needed.\n\nWhile at it, also drop the check that dai_name is not null in the mt8192\ndriver, introduced in commit 4d4e1b6319e5 (\"ASoC: mediatek: mt8192:\nCheck existence of dai_name before dereferencing\"), as it is actually\nredundant given the preceding num_codecs != 0 check."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: mediatek: comprobar que num_codecs no es cero para evitar el p\u00e1nico durante el sondeo Despu\u00e9s de el commit 13f58267cda3 (\"ASoC: soc.h: no crear un componente ficticio mediante COMP_DUMMY()\"), COMP_DUMMY() se convirti\u00f3 en una matriz con longitud cero y solo se rellena con la estructura ficticia despu\u00e9s de que se registra la tarjeta. Dado que el sondeo del controlador de la tarjeta de sonido ocurre antes del registro de la tarjeta, acceder a cualquiera de los miembros de un componente ficticio durante el sondeo dar\u00e1 como resultado un comportamiento indefinido. Esto se puede observar en los controladores de sonido de las m\u00e1quinas mt8188 y mt8195. Al omitir un subnodo de enlace dai en el nodo de la tarjeta de sonido en Devicetree, se utiliza el c\u00f3dec ficticio no inicializado predeterminado y, cuando su puntero dai_name se pasa a strcmp(), da como resultado una desreferencia de puntero nulo y un p\u00e1nico del kernel. Adem\u00e1s de eso, set_card_codec_info() en el archivo de ayuda gen\u00e9rico, mtk-soundcard-driver.c, llenar\u00e1 un enlace dai con un c\u00f3dec ficticio cuando un nodo de enlace dai est\u00e9 presente en DT pero sin ninguna propiedad de c\u00f3dec. El resultado es que en el momento de la prueba, un c\u00f3dec ficticio puede no estar inicializado con num_codecs = 0, o ser un c\u00f3dec ficticio inicializado, con num_codecs = 1 y dai_name = \"snd-soc-dummy-dai\". Para tener en cuenta ambas situaciones, verifique que num_codecs no sea cero antes de acceder a los campos de los c\u00f3decs, pero a\u00fan as\u00ed verifique el nombre dai del c\u00f3dec contra \"snd-soc-dummy-dai\" seg\u00fan sea necesario. Mientras tanto, tambi\u00e9n elimine la verificaci\u00f3n de que dai_name no sea nulo en el controlador mt8192, introducida en el commit 4d4e1b6319e5 (\"ASoC: mediatek: mt8192: Verificar la existencia de dai_name antes de desreferenciar\"), ya que en realidad es redundante dada la verificaci\u00f3n anterior de num_codecs != 0."
    }
  ],
  "id": "CVE-2024-56685",
  "lastModified": "2024-12-28T10:15:11.593",
  "metrics": {},
  "published": "2024-12-28T10:15:11.593",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2f2020327cc8561d7c520d2f2d9acea84fa7b3a3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/376f4800f34a28def026ff5c5d4fc5e54e1744ff"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/550279449ff54c5aa28cfca5c567308cbfb145f0"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.