CVE-2024-42074 - Linux Kernel ASoC AMD ACP Null Pointer Vulnerability Explained with Exploit Scenario
Date Published: June 2024
Severity: Medium
Component: Linux Kernel (Sound Subsystem - ASoC AMD ACP)
Patched in: Linux Kernel mainline, commit 7b661b1cad
Overview
CVE-2024-42074 is a vulnerability fixed in the Linux kernel, specifically in the Advanced Linux Sound Architecture (ALSA) System-on-Chip (ASoC) driver for AMD's Audio Co-Processor Platform (ACP). It allows a potential kernel crash (null pointer dereference) due to a missing check for a NULL pointer.
This issue is unlikely to be directly exploitable for arbitrary code execution, but it could be used to launch a local denial-of-service (DoS) attack, causing the system to crash.
What is the ASoC AMD ACP Driver?
ASoC stands for "ALSA System-on-Chip," a part of the Linux audio subsystem that supports embedded audio hardware. The snd-acp driver manages AMD’s Audio Co-Processor, an audio device baked into some AMD systems.
Details of the Vulnerability
Problem:
If the ACP platform device (chip_pdev) is *not* created during system or driver initialization, the chip->chip_pdev pointer stays set to NULL. However, the function snd_acp_resume() would still try accessing it, which causes the Linux kernel to dereference a NULL pointer — leading to an immediate kernel panic (system crash).
Root Cause:
There was no NULL pointer check for chip->chip_pdev before its use in snd_acp_resume().
Vulnerable code (before fix)
static int snd_acp_resume(struct device *dev)
{
struct acp_chip *chip = dev_get_drvdata(dev);
int ret;
ret = acp_resume(chip);
if (ret)
dev_err(dev, "acp resume failed\n");
if (chip->chip_pdev->dev.driver) {
// ... (use chip->chip_pdev)
}
return ret;
}
Problem line: if (chip->chip_pdev->dev.driver) {
If chip->chip_pdev is NULL, this will OOPS.
How Does This Happen?
1. System boots; AMD ACP platform device creation is skipped due to specific hardware config, feature flags, or boot conditions.
The kernel dereferences a NULL pointer, crashing the machine (kernel panic).
This could be triggered locally by a user causing suspend/resume cycles via standard power management tools.
The Patch
The fix is simple: add a NULL check for chip->chip_pdev before using it.
Patched code
static int snd_acp_resume(struct device *dev)
{
struct acp_chip *chip = dev_get_drvdata(dev);
int ret;
ret = acp_resume(chip);
if (ret)
dev_err(dev, "acp resume failed\n");
if (chip->chip_pdev && chip->chip_pdev->dev.driver) {
// ... use chip->chip_pdev knowing it's non-NULL
}
return ret;
}
Official patch reference
Exploit Scenario (Denial of Service)
You can’t directly gain root or arbitrary code execution, but a local user can crash the system by triggering the power management resume path on affected kernels.
Sample kernel error message
BUG: kernel NULL pointer dereference, address: 000000000000000
...
snd_acp_resume+x4d/x100 [snd-acp]
Upgrade your kernel to a version containing the patch (after June 2024).
- If that's not possible, avoid using suspend/resume or disable AMD ACP audio in the kernel config as a workaround.
References
1. CVE-2024-42074 at cve.org
2. Linux kernel commit 7b661b1cad ("ASoC: amd: acp: add a null check for chip_pdev structure")
3. Kernel.org ASoC AMD driver directory
Takeaway
This case is a classic example of why careful handling of pointers is critical in kernel code. While not a “sexy” remote hijack, CVE-2024-42074 could cause frustration—and downtime—on affected AMD laptops. It also highlights how "small" bugs in device drivers can destabilize an entire operating system.
Timeline
Published on: 07/29/2024 16:15:06 UTC
Last modified on: 08/02/2024 04:54:32 UTC