CVE-2024-56532 - Linux Kernel ALSA us122l Use-After-Disconnect Vulnerability

A recent vulnerability has been identified and patched in the Linux kernel's ALSA (Advanced Linux Sound Architecture) driver for TASCAM USB US-122L audio interfaces. Known officially as CVE-2024-56532, this issue could cause system slowdowns or lockups when a USB audio device is unplugged. This post provides exclusive, easy-to-understand details, code snippets, the root cause, and exploitation potential for security researchers, sysadmins, and curious Linux users.

What is CVE-2024-56532?

CVE-2024-56532 is a bug in the Linux kernel's audio driver, specifically in how it cleans up (or "frees") USB audio card data structures when the device is disconnected (unplugged). Instead of freeing resources quickly and efficiently, the vulnerable code used a synchronous cleanup function that could get "stuck" waiting for user processes to close the device. As a result, procedures intending to be brief (like unplugging a USB audio card) could block the entire USB subsystem, possibly causing system performance issues and a "soft lockup" in the kernel.

It used snd_card_free() at device disconnect,

- But snd_card_free() blocks until all open file descriptors (FDs) referencing the audio device are closed.
- A user process could keep FDs open, intentionally or accidentally, causing the disconnect task to hang.
- This block could prevent new USB commands and trigger a kernel "soft lockup," reducing device responsiveness or even making the system unusable in some cases.

The vulnerable code snippet

// Original: Synchronous free, can block
static void us122l_disconnect(struct usb_interface *intf)
{
    struct snd_usb_us122l *us122l = usb_get_intfdata(intf);

    if (us122l) {
        // This call can block
        snd_card_free(us122l->chip.card);
    }
}

Resolution and Patch

The fix replaces the blocking function (snd_card_free()) with its asynchronous sibling, snd_card_free_when_closed(). This new function schedules cleanup for when all user processes have actually released their file handles, avoiding any long waits in the disconnect routine.

The patched code

// Patched: Asynchronous free, non-blocking
static void us122l_disconnect(struct usb_interface *intf)
{
    struct snd_usb_us122l *us122l = usb_get_intfdata(intf);

    if (us122l)
        snd_card_free_when_closed(us122l->chip.card);
}

This function returns immediately. The actual resource cleanup happens in the background, right after the last user process (if any) has closed the device, no matter how long that takes.

Additional Change

A redundant loop checking us122l->mmap_count was also dropped, since the asynchronous approach doesn't need to worry about FD counting in this context.

Exploitation: How Could a Malicious User Abuse This?

While CVE-2024-56532 is not a classic "remote code execution" or "privilege escalation" flaw, it could be abused for denial of service:

- A local user process keeps /dev/snd/* audio device file open.

Meanwhile, an attacker (or accident) triggers USB disconnect (by physically unplugging the device).

- Because the driver waits for all user FDs to close, the kernel's USB subsystem becomes stuck, unable to process other USB events or operations.
- In high availability or multi-user environments, this could degrade the system and block legitimate use.

Proof-of-Concept (PoC) Scenario

# Keep an audio device FD open in terminal 1:
arecord -l  # Locate card number (say, card 1)
arecord -D hw:1, /tmp/test.wav &
# That command keeps a handle open.

# Now unplug the TASCAM US-122L device.
# The disconnect routine hangs until "arecord" closes!
# Any process talking to USB may also hang or time out.

Linux users with TASCAM US-122L (and possibly similar) USB audio interfaces.

- Systems with unpatched kernels prior to this commit (Upstream ALSA patch).
- Any server or desktop that might experience frequent plug/unplug of USB audio gear, or where users may leave device files open.

What Should I Do?

- Update your Linux kernel to a version containing the fix (expected in 6.10+; check your vendor's kernel or backport advisory).
- If you build your own kernels, apply the patch from the upstream Linux/ALSA repository.

References

- ALSA-devel Patch Thread
- Mainline Linux Kernel Commit
- CVE ID on MITRE *(placeholder; CVE may not be live yet)*
- Linux ALSA Project

Conclusion

CVE-2024-56532 shows how nuanced kernel code—especially device teardown—can have big impacts on real-world system stability. The fix is elegant and low-effort: simply call the right non-blocking function. If you manage Linux systems with USB audio devices, patch today and avoid frustrating system freezes.

Stay secure, and keep your kernel up to date!

*This post is original and exclusive to this thread. Please link back if quoting. For questions, drop them below!*

Timeline

Published on: 12/27/2024 14:15:32 UTC
Last modified on: 05/04/2025 09:57:27 UTC