## Introduction
CVE-2022-49375 is a security bug in the Linux kernel, specifically affecting the Real-Time Clock (RTC) driver for MediaTek’s MT6397 chip (in drivers/rtc/rtc-mt6397.c). If left unfixed, this bug can allow a local attacker to crash your kernel and cause a denial of service.
Let's break down what this bug is, how it happens, and how you can stay safe.
## Impact of CVE-2022-49375
Bug: Null Pointer Dereference
- Potential Harm: Local denial of service (kernel panic / system crash)
- Who Can Exploit: Local users with certain privileges, typically needing to be able to add, remove, or manipulate hardware devices (e.g. via device tree overlays)
Why does it matter?
Depending on your configuration and user environment, attackers could use this bug to crash machines, break services, or potentially escalate their privileges through denial of service.
## Root Cause Analysis
Let’s look at the problematic code pattern
res = platform_get_resource(pdev, IORESOURCE_MEM, );
rtc->base = devm_ioremap_resource(&pdev->dev, res);
Here, the driver is trying to get a hardware resource (like a memory region) associated with the hardware platform. platform_get_resource() should return a pointer to a resource struct, or NULL if the resource isn’t there.
The Bug:
If platform_get_resource() returns NULL (failed to retrieve the resource),
the NULL value is passed into devm_ioremap_resource().
That function expects a _valid_ pointer. Passing a NULL pointer can lead to a NULL pointer dereference, which crashes the kernel.
## Exploiting the Bug
Who can trigger it?
On typical systems, only root or device tree authors can load such drivers or create mismatched resources. But with container environments, user namespaces, or malicious kernel modules, an attacker might trigger this bug.
Sample Exploit (Proof of Concept)
Suppose you write a device tree overlay or hotplug a platform device that lacks the required resource.
Or, from kernel code (as root)
struct platform_device *pdev = /* ... create device w/o resource ... */;
platform_device_register(pdev); // Will trigger the bug
When Linux loads the driver and tries to initialize it, platform_get_resource() returns NULL, causing a crash:
[ 34.845101] Unable to handle kernel NULL pointer dereference at virtual address 000000000000000
...
Observe system crash or kernel panic when the driver attempts to use the resource.
## Patch Walkthrough
The fix adds a check for NULL after calling platform_get_resource() before using the pointer.
Before (Vulnerable)
res = platform_get_resource(pdev, IORESOURCE_MEM, );
rtc->base = devm_ioremap_resource(&pdev->dev, res);
After (Patched)
res = platform_get_resource(pdev, IORESOURCE_MEM, );
if (!res) {
dev_err(&pdev->dev, "No memory resource\n");
return -ENODEV;
}
rtc->base = devm_ioremap_resource(&pdev->dev, res);
It’s a classic example of defensive programming—always check your pointers!
You can see the official commit here
- Upstream Linux commit
## How to Detect and Protect
Make sure your Linux kernel includes the patch for CVE-2022-49375.
- Audit Custom Device Drivers/Overlays:
Check all custom device trees and platform device registrations to ensure required resources are present.
Restrict who can load kernel modules and manipulate hardware resources.
## References
- Linux Kernel Patch for CVE-2022-49375
- CVE Details: CVE-2022-49375
- Linux Kernel Documentation – Platform Driver Resources
- devm_ioremap_resource() API Reference
Final Words
CVE-2022-49375 is a simple, but real, kernel bug—one missed check, and an attacker or hardware misconfiguration can take down your system. Always check your pointers, review kernel code for corner cases, and keep your systems patched!
*If you found this post helpful, consider sharing or following for more exclusive, plain-English analysis of Linux kernel CVEs!*
Timeline
Published on: 02/26/2025 07:01:14 UTC
Last modified on: 04/14/2025 20:37:47 UTC