---
The Linux kernel is at the heart of millions of systems, and even minor errors in its driver code can lead to crashes or unexpected behaviors. In early 2024, a vulnerability (CVE-2024-50137) was discovered and patched in the StarFive JH711 reset driver module. This post breaks down the bug, why it was a problem, how it was fixed, and what it means for users and device makers—with easy code examples and references.
What is CVE-2024-50137?
CVE-2024-50137 is a vulnerability in the Linux kernel's reset subsystem, specifically affecting the starfive JH71x System-on-Chip (SoC) reset controller driver. The bug could cause the kernel to crash under certain conditions, due to a missing check for a null pointer.
Technical Summary
- Component: Linux Kernel (drivers/reset/reset-starfive-jh71x.c)
Affected SoC: StarFive JH711
- Introduced By: Commit 82327b127d41
Root Cause: Dereferencing a possibly NULL pointer (data->asserted)
- Patch: Kernel commit fixing the bug
What Was the Problem?
When the StarFive JH711 reset driver was merged, it introduced a scenario where the data->asserted member in the driver's data structure could be NULL. However, the code did not always check for this before using it.
Here’s the buggy code snippet (simplified)
int reset_control_status(struct reset_controller_dev *rcdev, unsigned long id) {
struct starfive_reset_data *data = rcdev->priv;
// ... snip ...
// BUG: data->asserted may be NULL
return !!test_bit(id, data->asserted);
}
With some configurations (like the JH711 SoC), data->asserted is intentionally left as NULL to indicate no explicit tracking, but reset_control_status() would always try to read from it. If this happens, the kernel would crash due to a null pointer dereference.
Breaking Down the Exploit
This type of bug is a *local denial-of-service* (DoS) flaw. If an attacker (or just a program) tries to access a reset controller device on an affected kernel and triggers reset_control_status() with no asserted member, the kernel panics.
Exploitation Scenario
1. Required setup: The bug is in kernelspace, exploitable by code with the ability to call into device drivers, usually via a device node (/dev/), sysfs, or platform driver triggers.
2. Attack vector: Userspace initiates a device reset or queries the reset status via an interface that ends up calling reset_control_status() for a JH711 device.
Outcome: Kernel dereferences NULL and crashes—denial of service.
This does not allow for privilege escalation or remote compromise, but causes unwanted reboots or system failures.
The Fix
The kernel patch adds a check to make sure data->asserted is non-NULL before using it, preventing the null dereference.
Patched code example
int reset_control_status(struct reset_controller_dev *rcdev, unsigned long id) {
struct starfive_reset_data *data = rcdev->priv;
if (!data->asserted)
return -ENOTSUPP; // Return 'operation not supported'
return !!test_bit(id, data->asserted);
}
Now, if asserted is NULL, the function returns an error code instead of crashing.
How to Check If You’re Vulnerable
- If your device uses the StarFive JH711 SoC and runs Linux with a kernel including commit 82327b127d41 but without the fix (dfadcf8c527b7afce1d91a904d1ebb1e563ec2), you are vulnerable.
grep 'reset-starfive'
`
- Device vendors and OS builders should audit their kernels for this patch.
---
## References
- Linux kernel commit introducing the bug (82327b1)
- Linux kernel fix commit (dfadcf8)
- StarFive JH711 SoC Documentation
- CVE record on NVD (US government) *(upon publication)*
---
## Conclusion & Advice
CVE-2024-50137 is a classic example of why even “small” pointer checks matter in kernel code. If you build or use Linux on StarFive JH711, update to a kernel with the fix applied as soon as possible, to avoid surprises.
Stay safe—keep your systems patched and always review recent kernel security advisories!
Timeline
Published on: 11/05/2024 18:15:16 UTC
Last modified on: 11/08/2024 14:29:05 UTC