CVE-2022-49273 - Null Pointer Dereference in Linux Kernel’s PL031 RTC Driver (Explained Simply)

The Linux kernel is the engine that powers millions of devices worldwide, from smartphones and servers to IoT gadgets. Security in such software is crucial because even small errors can lead to system crashes, or worse, allow attackers to hijack systems. In early 2023, a bug was fixed in the Linux kernel’s PL031 Real-Time Clock (RTC) driver, tracked as CVE-2022-49273. This vulnerability could cause a crash if the system lacked an RTC interrupt line. In this post, we’ll explain the bug, see how it could be exploited, and look at the code changes that fixed it.

What Does CVE-2022-49273 Affect?

This CVE relates specifically to the PL031 Real-Time Clock (RTC) driver in the Linux kernel. The driver manages timekeeping hardware on certain ARM-based platforms (like some Raspberry Pi models and embedded systems).

What Was the Problem?

Linux lets you set alarms on RTC hardware—think of it like adding a ring timer to your device. But if your system doesn’t wire up an interrupt line for this timer, the driver is supposed to disable the alarm feature.

Here’s what was wrong

- The code tried to clear the "alarm capabilities" before setting up the actual rtc_device structure.
- On platforms with no alarm interrupt line, this caused a null pointer dereference (the code tried to touch memory through an uninitialized pointer).
- In practice, this could crash your Linux system as soon as you loaded the PL031 RTC module on unsupported hardware.

Real-World Analogy

Imagine you’re updating a spreadsheet, but you press "delete all alarms" before you’ve even opened the correct document—crash!

Here’s a code snippet showing the problem in the original driver

// Original buggy code
if (!irq) {
    ldata->rtc->features &= ~RTC_FEATURE_ALARM;
}
ldata->rtc = devm_rtc_device_register(dev, ...);

irq is the interrupt line. If it’s missing, code tries to clear the alarm capability flag.

- But ldata->rtc hasn’t been allocated yet—so this is like doing NULL->something, which is fatal.

Result: System crash due to a NULL dereference.

The (Simple) Fix

Move the clearing of the RTC_FEATURE_ALARM flag after the actual RTC device has been registered and allocated.

Here’s what the fixed code looks like

ldata->rtc = devm_rtc_device_register(dev, ...);   // 1. Register (set up) the device
if (!irq) {
    ldata->rtc->features &= ~RTC_FEATURE_ALARM;    // 2. Now it's safe to clear the feature
}

See the Fix on GitHub

- Upstream Patch to mainline Linux
- Linux Kernel Mailing List Discussion

Can This Be Exploited? (And How)

- Practical exploitation is limited: This bug causes a null pointer dereference, which in modern kernels can only crash (panic) your system, not give attackers more privileges.
- Denial of Service (DoS): If you have access to a system with this driver, you can crash it by loading the driver *without* a hardware alarm interrupt line. For instance:

The system panics and crashes because of the null dereference.

*If the driver is built-in and not a module, you could trigger this at boot, which is just as fatal.*

No privilege escalation or remote code execution vector exists here—it’s a bug that can crash your device, possibly resulting in denial of service.

Which Versions Are Patched?

The fix went into mainline Linux in early 2023.

Linux 6.2 and later are patched.

- You may also find patches backported to LTS series (such as 5.15 or 5.10), especially in Ubuntu, Red Hat, and Debian kernels.

Recommendations

- Update your kernel: If you run custom ARM hardware or use the PL031 driver, update to a patched kernel.
- Minimize attack surface: Don’t load unnecessary RTC drivers on hardware that doesn’t use them.
- Embedded device vendors: Check your device tree and kernel configs to ensure drivers match the hardware.

References

- CVE-2022-49273 on Mitre
- Linux Kernel Patch Commit
- PL031 RTC driver source code
- Linux Kernel Mailing List Patch Review

TL;DR

CVE-2022-49273 is a Linux kernel bug in the PL031 RTC driver where it could crash your system (null pointer dereference) if no hardware interrupt is available for the alarm feature. The fix was simple: wait until the data structure is set up before clearing capabilities. This is not a “hacker” bug, but crashed devices are bad news—so update your kernels!

Timeline

Published on: 02/26/2025 07:01:04 UTC
Last modified on: 04/14/2025 16:53:14 UTC