In early 2024, a security vulnerability was discovered and patched in the Linux kernel's Advanced Sound Architecture (ASoC) subsystem, specifically affecting Mediatek’s SOF-common driver. The issue, now tracked as CVE-2024-35842, revolved around the improper handling of the normal_link field in the struct sof_conn_stream. This field wasn’t always initialized, and failing to check its existence before use could trigger a NULL pointer dereference—potentially causing a kernel panic (KP).
Understanding how this bug works and how it was fixed is beneficial for kernel developers, Linux users on Mediatek platforms, and anyone curious about software security in open source projects.
Background
The Linux ASoC (ALSA System on Chip) framework manages audio support on embedded devices. The Mediatek SOF-common driver links different audio paths, with each link described using the struct sof_conn_stream.
struct sof_conn_stream {
const char *sof_link;
const char *normal_link; // this may be NULL!
};
On some platforms, such as the MT8188 (a Mediatek SoC), only SOF (Sound Open Firmware) audio paths exist—so the normal_link is never set. But the code didn’t check if normal_link was NULL before trying to use it.
Problem Scenario
If code assumes normal_link is always present but accesses it when it's actually NULL, the kernel can dereference a NULL pointer. This leads to an instant crash—a denial of service (DoS) and possibly a vector for local privilege escalation, although that exploitation is more complex.
Here’s a simplified example of the problematic logic inside the driver before the fix
for (int i = ; i < num_streams; i++) {
struct sof_conn_stream *stream = &stream_table[i];
// Potentially unsafe: normal_link might be NULL
pr_info("Normal link name: %s\n", stream->normal_link);
}
If normal_link is NULL, this log line triggers a kernel panic.
How an Attacker Might Exploit
If a user (or malicious app with enough system access) can induce the ASoC subsystem to operate with a missing normal_link on affected hardware, they can intentionally cause the kernel to panic, causing a denial of service.
The Patch: Adding the NULL Check
The fix is surprisingly simple—add a NULL check before using normal_link.
if (stream->normal_link)
pr_info("Normal link name: %s\n", stream->normal_link);
Now, if normal_link is NULL, the kernel simply skips the log, avoiding any dereference.
Actual Patch Commit
Commit message excerpt
> ASoC: mediatek: sof-common: Add NULL check for normal_link string
>
> It's not granted that all entries of struct sof_conn_stream declare a normal_link (a non-SOF, direct link) string ... To avoid possible NULL pointer KPs, add a NULL check for normal_link.
A crafted operation that invokes the path using a sof_conn_stream with NULL normal_link
This is mostly of interest to system programmers or attackers with local access and a compatible device.
Mitigation
- Upgrade your kernel to one including the fix (Post Linux 6.9).
References
- Original upstream kernel patch commit
- Sound Open Firmware Project
- ASoC (ALSA System on Chip) overview
Conclusion
CVE-2024-35842 may seem minor—a missing NULL check—but this type of bug underscores the importance of anticipating incomplete initialization, especially in low-level kernel code. For Linux users and vendors on Mediatek systems, keeping up-to-date with security patches is crucial for stability.
If you manage embedded Linux devices, consider auditing code for similar mistakes—often, ensuring pointers are checked before they’re used can save a lot of trouble down the road.
Timeline
Published on: 05/17/2024 15:15:21 UTC
Last modified on: 05/04/2025 09:06:38 UTC