CVE CyberSecurity Database News

CVE-2024-50070 - How a Missed NULL Check in Linux pinctrl-stm32 Led to a Security Vulnerability

Poster -

In early 2024, security researchers identified and fixed a bug in the Linux kernel's pin controller code for STM32 chips. Catalogued as CVE-2024-50070, this vulnerability revolved around improper handling of the devm_kasprintf() function, potentially leading to NULL pointer dereferences—which can crash the kernel or open the door to further attacks depending on context.

This article breaks down how this bug occurred, why it's a problem, how it was fixed, and what it means for sysadmins and Linux developers. We’ll keep things simple and show practical code examples for learning.

What is pinctrl-stm32?

The pinctrl-stm32 driver is a part of the Linux kernel responsible for controlling the pins on STM32 microcontrollers—those little chips commonly found in embedded devices, smart appliances, and IoT platforms.

The Bug: Not Checking devm_kasprintf() Return Value

In the affected code, the driver used devm_kasprintf() to create a string, likely to name something (like a GPIO chip). On error (for example, low-memory conditions), devm_kasprintf() returns NULL. The problem? *The code did not check for this NULL value before using it.*

Let’s see a simplified version of the vulnerable snippet

// Buggy code from drivers/pinctrl/pinctrl-stm32.c

chip->label = devm_kasprintf(dev, GFP_KERNEL, "stm32-gpio%c.%d",
              port->name[suffix], pinctrl->id);
// ...  
// No NULL check before using chip->label!
platform_set_drvdata(pdev, chip);

If memory allocation fails, chip->label will be NULL. Any further use—such as printing its label—will make the kernel blow up (NULL pointer dereference). This could be triggered under specific attack scenarios, or just cause random system crashes when a device is initialized.

Why is This Dangerous?

- Denial of Service: A system crash (kernel panic or oops) can stop your device cold—bad news for embedded systems in cars, factories, or your home router.
- Potential Privilege Escalation: Sometimes, kernel NULL pointer dereference bugs can be turned into privilege escalations on certain hardware or configurations.
- Hard to Debug: These bugs usually don’t leave clear logs. Embedded developers might just see their device hang or reboot.

The Fix

The fix is simple: check the return value of devm_kasprintf() and handle the error if it returns NULL.

Here’s the patched version

// Fixed code
chip->label = devm_kasprintf(dev, GFP_KERNEL, "stm32-gpio%c.%d",
              port->name[suffix], pinctrl->id);

if (!chip->label) {
    dev_err(dev, "Failed to allocate label string\n");
    return -ENOMEM;
}

This way, if memory allocation fails, the function cleans up gracefully and returns an error instead of risking a kernel crash.

This is not a straightforward "remote exploit" bug! But

- Attackers with control over device initialization and the ability to force low memory (for example, by allocating lots of memory before plugging in a device) could potentially crash the kernel by exploiting the missing check.
- Malicious devices designed to be plugged into an affected system might trigger driver loading in a low-memory situation, causing a denial of service.

When devm_kasprintf() fails, the system dereferences NULL and crashes.

On many devices, even a crash is significant. For embedded systems, this could mean disabling critical functionality (think medical device controllers or industrial machinery).

- Linux Kernel Commit Fix (git.kernel.org)
- CVE-2024-50070 at CVE.org *(may take time to populate)*
- pinctrl-stm32 driver documentation (kernel.org)

What Should You Do?

1. Update Your Kernel: If you run devices using STM32 chips and Linux, upgrade to a kernel version including this patch (look for kernels released after late May 2024).
2. Backport the Patch: If you maintain a custom kernel, grab the fix from the commit.
3. Audit for Similar Bugs: This type of oversight is common—review usage of functions like devm_kasprintf, kmalloc, and friends in your code.

Final Words

CVE-2024-50070 is a classic example of how small oversights—like forgetting to check for a NULL pointer—can have big consequences, especially in kernel code. Even if you aren’t an STM32 user, any Linux developer should see this as a lesson: always check the return values of memory allocation functions! It keeps your systems safer and saves you from mysterious crashes down the road.

Stay secure & keep coding smart!

*This article is exclusive and originally written for educational purposes. For a deep-dive into kernel security, bookmark the links above and stay updated!*

Timeline

Published on: 10/29/2024 01:15:04 UTC
Last modified on: 10/30/2024 16:59:39 UTC