CVE-2024-56685

{"id": "CVE-2024-56685", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-12-28T10:15:11.593", "references": [{"url": "https://git.kernel.org/stable/c/2f2020327cc8561d7c520d2f2d9acea84fa7b3a3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/376f4800f34a28def026ff5c5d4fc5e54e1744ff", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/550279449ff54c5aa28cfca5c567308cbfb145f0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Check num_codecs is not zero to avoid panic during probe\n\nFollowing commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy\nComponent via COMP_DUMMY()\"), COMP_DUMMY() became an array with zero\nlength, and only gets populated with the dummy struct after the card is\nregistered. Since the sound card driver's probe happens before the card\nregistration, accessing any of the members of a dummy component during\nprobe will result in undefined behavior.\n\nThis can be observed in the mt8188 and mt8195 machine sound drivers. By\nomitting a dai link subnode in the sound card's node in the Devicetree,\nthe default uninitialized dummy codec is used, and when its dai_name\npointer gets passed to strcmp() it results in a null pointer dereference\nand a kernel panic.\n\nIn addition to that, set_card_codec_info() in the generic helpers file,\nmtk-soundcard-driver.c, will populate a dai link with a dummy codec when\na dai link node is present in DT but with no codec property.\n\nThe result is that at probe time, a dummy codec can either be\nuninitialized with num_codecs = 0, or be an initialized dummy codec,\nwith num_codecs = 1 and dai_name = \"snd-soc-dummy-dai\". In order to\naccommodate for both situations, check that num_codecs is not zero\nbefore accessing the codecs' fields but still check for the codec's dai\nname against \"snd-soc-dummy-dai\" as needed.\n\nWhile at it, also drop the check that dai_name is not null in the mt8192\ndriver, introduced in commit 4d4e1b6319e5 (\"ASoC: mediatek: mt8192:\nCheck existence of dai_name before dereferencing\"), as it is actually\nredundant given the preceding num_codecs != 0 check."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: mediatek: comprobar que num_codecs no es cero para evitar el p\u00e1nico durante el sondeo Despu\u00e9s de el commit 13f58267cda3 (\"ASoC: soc.h: no crear un componente ficticio mediante COMP_DUMMY()\"), COMP_DUMMY() se convirti\u00f3 en una matriz con longitud cero y solo se rellena con la estructura ficticia despu\u00e9s de que se registra la tarjeta. Dado que el sondeo del controlador de la tarjeta de sonido ocurre antes del registro de la tarjeta, acceder a cualquiera de los miembros de un componente ficticio durante el sondeo dar\u00e1 como resultado un comportamiento indefinido. Esto se puede observar en los controladores de sonido de las m\u00e1quinas mt8188 y mt8195. Al omitir un subnodo de enlace dai en el nodo de la tarjeta de sonido en Devicetree, se utiliza el c\u00f3dec ficticio no inicializado predeterminado y, cuando su puntero dai_name se pasa a strcmp(), da como resultado una desreferencia de puntero nulo y un p\u00e1nico del kernel. Adem\u00e1s de eso, set_card_codec_info() en el archivo de ayuda gen\u00e9rico, mtk-soundcard-driver.c, llenar\u00e1 un enlace dai con un c\u00f3dec ficticio cuando un nodo de enlace dai est\u00e9 presente en DT pero sin ninguna propiedad de c\u00f3dec. El resultado es que en el momento de la prueba, un c\u00f3dec ficticio puede no estar inicializado con num_codecs = 0, o ser un c\u00f3dec ficticio inicializado, con num_codecs = 1 y dai_name = \"snd-soc-dummy-dai\". Para tener en cuenta ambas situaciones, verifique que num_codecs no sea cero antes de acceder a los campos de los c\u00f3decs, pero a\u00fan as\u00ed verifique el nombre dai del c\u00f3dec contra \"snd-soc-dummy-dai\" seg\u00fan sea necesario. Mientras tanto, tambi\u00e9n elimine la verificaci\u00f3n de que dai_name no sea nulo en el controlador mt8192, introducida en el commit 4d4e1b6319e5 (\"ASoC: mediatek: mt8192: Verificar la existencia de dai_name antes de desreferenciar\"), ya que en realidad es redundante dada la verificaci\u00f3n anterior de num_codecs != 0."}], "lastModified": "2025-09-26T20:26:57.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF76D5FF-944B-4187-AE80-15327D64BB22", "versionEndExcluding": "6.11.11", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}