CVE-2024-56562 - Linux Kernel i3c Master Use-After-Free in Address Handling (Explained with Exploit Details)
A new vulnerability, CVE-2024-56562, has been found and patched in the Linux kernel’s i3c master driver. This issue could cause a use-after-free condition due to a copy-paste error when handling device addresses during bus operations. Attackers could exploit this to crash a system or even execute arbitrary code under certain conditions.
In this post, I’ll break down the bug, show you the affected code, how it could be abused, reference the original patch, and explain, in plain English, why this type of error is a wake-up call for anyone writing kernel drivers.
What Is the i3c Master Vulnerability?
The Linux kernel’s i3c bus code lets the system talk to I3C peripherals—sensors and chips on some modern boards. Device address management here is critical, especially in low-level C where simple copy-paste mistakes might lead to double free or dangling pointer bugs.
CVE-2024-56562 is due to a bug in how the function i3c_master_put_i3c_addrs() frees addresses, accidentally referencing and freeing the wrong address member in device structures.
dyn_addr: the actual current dynamic address used on the running bus.
When the kernel code wants to clean up (remove) a device from the bus, it needs to free the right address—the one used for initialization if it exists (init_dyn_addr). But because of messy copy-paste coding, the function was always freeing dyn_addr, leading to possible memory issues.
Look at the problematic code (pre-patch)
if (dev->boardinfo && dev->boardinfo->init_dyn_addr)
i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, I3C_ADDR_SLOT_FREE);
// ^^^^^^^^^^^^^^^^^^^^^ Should have been dev->boardinfo->init_dyn_addr
The free operation, though, incorrectly uses dev->info.dyn_addr.
This mismatch is classic in kernel mistakes—a copy-paste error that swaps variables, resulting in freeing the live address when just the one assigned at setup should have been freed.
The Corrected Code
if (dev->boardinfo && dev->boardinfo->init_dyn_addr)
i3c_bus_set_addr_slot_status(&master->bus, dev->boardinfo->init_dyn_addr, I3C_ADDR_SLOT_FREE);
// ^^^ Corrected to use the right address
Trick the kernel into freeing an address slot still in use (dyn_addr), leaving a pointer hanging.
- The kernel might later try to access or free this already-freed address, leading to a use-after-free vulnerability—a classic route to crashing the machine or, in rare cases, escalating privileges.
Here’s what an attacker could try (as a developer, not as a casual user)
// Simulate attaching and detaching a device with mismatched addresses.
struct i3c_device dev = {...};
dev.boardinfo->init_dyn_addr = x41;
dev.info.dyn_addr = x42;
i3c_master_put_i3c_addrs(master, &dev); // Would incorrectly free x42 (in use)
A fake device entry using this could force the kernel to corrupt its own bookkeeping, especially if other devices later reuse those address slots.
Who Is Affected?
- Linux systems using i3c (mostly embedded/IoT or development boards with i3c).
- Kernel versions before the patched release.
Official Patch and References
- Patch commit: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()
- CVE entry: CVE-2024-56562 on cve.org
- Kernel discussion: LKML Patch Discussion
Update your kernel! Make sure you run a version with this patch applied.
- If you write kernel bus drivers: always double and triple-check address frees. Copy-paste bugs like this are rare, but very costly.
Conclusion
CVE-2024-56562 is a teachable moment: one copy-paste variable swap in a kernel driver can open the door to subtle, dangerous attacks. Linux upstream fixed it quickly; make sure your devices get that fix.
For full details, see the official patch and keep your system up to date.
> Want more kernel vulnerability breakdowns in simple, exclusive language? Follow this blog!
Timeline
Published on: 12/27/2024 15:15:15 UTC
Last modified on: 05/04/2025 09:58:24 UTC