CVE CyberSecurity Database News

CVE-2024-42282 - NULL Pointer Dereference in Linux Kernel Mediatek net_device Handling — Root Cause & Fix Explained

Poster -

A recent vulnerability (CVE-2024-42282) was found and fixed in the Linux kernel's MediaTek Ethernet driver (net: mediatek). This bug had the potential to crash the system due to a NULL pointer dereference if a dummy network device wasn't properly allocated during driver initialization. In this post, we'll break down how the bug appeared, why it was dangerous, and how the Linux kernel developers fixed it.

What Happened?

The Linux kernel uses "network device" objects (net_device) to represent actual or virtual network interfaces. Some drivers, like the MediaTek Ethernet driver (mtk_eth_soc.c), use "dummy" network devices for feature support or driver logic.

Problem:
A code path in the driver's initialization function (mtk_probe()) tries to create a dummy network device. If that creation failed, cleanup code would later try to free a pointer that was never set—causing a NULL pointer dereference (kernel crash).

Code Snippet — Before the Fix

// In mtk_probe()
eth->dummy_dev = alloc_netdev_dummy(...);
if (!eth->dummy_dev) {
    ret = -ENOMEM;
    goto err_free_dev;
}
// ...
err_free_dev:
    mtk_free_dev(eth);
    return ret;


// In mtk_free_dev()
if (eth->dummy_dev)
    free_netdev(eth->dummy_dev); // Safe if pointer valid

But, if alloc_netdev_dummy() failed, eth->dummy_dev would be NULL, yet some code paths could still attempt to free it.

Kernel Panic:

Calling free_netdev() with a NULL pointer is not safe and can trigger a kernel panic (system crash).

Denial of Service:

An attacker (even a user plugging in a problematic device) could exploit this, intentionally or by accident, leading to a crash.

- Stability/Availability:

Original Patch Reference

The issue was found by static analysis tool Smatch and later fixed upstream.

Patch commit:

net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling

The Fix: Only Free What Was Allocated

The patch moves the freeing of the dummy network device from the general free routine (mtk_free_dev()) to the driver's remove function (mtk_remove()), which is only called when device setup fully succeeded.

Code Snippet — After the Fix

// Do not try to free dummy_dev in error path
static void mtk_remove(struct platform_device *pdev)
{
    struct mtk_eth *eth = platform_get_drvdata(pdev);

    // Only free when we know dummy_dev was allocated
    if (eth->dummy_dev)
        free_netdev(eth->dummy_dev);

    // ... rest of cleanup
}


static void mtk_free_dev(struct mtk_eth *eth)
{
    // No longer frees dummy_dev here — avoids NULL dereference
}

Result:

Exploit Details

Unlike code execution or privilege escalation bugs, this is a *local denial of service* risk. That means if an attacker could trigger the driver registration with intentional failures (by hardware or fuzzing), they could crash the kernel:

Attacker inserts a contrived or faulty device.

2. Driver's probe function (mtk_probe()) tries to set up a dummy device; allocation fails under memory pressure or crafted conditions.

NULL pointer dereference → kernel panic.

It's not a remote exploit, nor does it let the attacker take over the system, but it can seriously hurt reliability.

Real-World Impact

- Embedded Devices: Many routers or IoT platforms use MediaTek chips running Linux. Some may auto-reboot (self recovery), others may stay crashed.
- Cloud/VPS Providers: If using MediaTek-based hardware, affected instances could be crashed by local users or automation gone wrong.

Update Your Kernel:

Ensure you run a kernel with the fix applied. All Linux distros will port this fix to their kernel packages.

References

- Official Patch Commit (kernel.org)
- Smatch Tool — Static Analysis
- Linux Kernel netdev mailing list discussion

Summary

CVE-2024-42282 is a cleanup error in the Linux kernel's MediaTek Ethernet driver, leading to a serious system crash if a network device allocation failed. The patch ensures the kernel never tries to free a NULL pointer, boosting system stability and reliability. While it's not a remote or code execution bug, any crash bug in the kernel is one to squash fast.

If you use MediaTek network devices with Linux, patch now!

*This exclusive explainer was written to simplify CVE-2024-42282 for everyone. Please share with friends and colleagues running Linux.*

Timeline

Published on: 08/17/2024 09:15:09 UTC
Last modified on: 08/19/2024 19:53:45 UTC