A new vulnerability, CVE-2024-56576, was reported and fixed in the Linux kernel, specifically affecting the media I2C driver for Toshiba's tc358743 HDMI to CSI-2 bridge. The bug could let attackers crash the kernel by triggering a double-free use via the polling timer in error conditions.

This article will break down the bug in simple language, show you the relevant code, and demonstrate how the crash happens. We'll also link to the original patch and help you understand what to look out for as an admin or developer.

Vulnerability Summary

- Component: drivers/media/i2c/tc358743.c in the Linux kernel

Kernel Versions: Prior to the fix in v6.11 and possibly backported to earlier stable series

- Issue: If an error occurred during the driver's probe() function *while polling mode was enabled*, a polling timer would remain scheduled, potentially leading it to access already-freed memory and crash the kernel.

The probe function (tc358743_probe) initializes a polling timer if polling mode is in use.

2. If a later operation in probe() fails, the function cleans up allocated memory/resources and returns an error.

But it forgot to remove the polling timer.

4. The scheduled timer could still fire, try to use the driver structure, and end up touching already-freed memory.

Crash Trace Example

------------[ cut here ]------------
WARNING: CPU: 3 PID:  at kernel/time/timer.c:183 __run_timers+x244/x268
...
Call trace:
  __run_timers+x244/x268
  timer_expire_remote+x50/x68
  ...
---[ end trace 000000000000000 ]---

Why Is This Dangerous?

If an attacker or a regular user triggers the driver error path (for example, by plugging in a faulty or unsupported HDMI source), the system might *instantly crash*. In some threat models, repeated exploitation could lead to Denial-of-Service.

Below is a simplified example of how the timer is used inside the driver

// Simplified pseudo-code
struct tc358743_state {
    struct timer_list timer;
    // ...
};

static int tc358743_probe(struct i2c_client *client,
                         const struct i2c_device_id *id)
{
    struct tc358743_state *state;
    int ret;

    state = devm_kzalloc(&client->dev, sizeof(*state), GFP_KERNEL);
    if (!state)
        return -ENOMEM;

    // Timer setup
    timer_setup(&state->timer, tc358743_timer_func, );
    mod_timer(&state->timer, jiffies + msecs_to_jiffies(100));

    // ... (other probe stuff)
    ret = tc358743_hw_init(state);
    if (ret) {
        // This is where things went wrong:
        // state->timer is still active!
        dev_err(&client->dev, "Hardware init failed");
        // Normally would need to remove timer here!
        return ret;
    }

    // Success path...
    return ;
}

The missing piece:
If tc358743_hw_init() fails, the probe is aborted, and resources are freed.
But the timer is *not* deleted, so its callback may access state after it has been freed.

How Was It Fixed?

The patch made sure to delete the timer, via del_timer_sync(&state->timer), before returning from the error path.

Fixed Code Snippet

    ret = tc358743_hw_init(state);
    if (ret) {
        del_timer_sync(&state->timer); // <-- FIX
        return ret;
    }

Reference to the patch:
- Commit: media: i2c: tc358743: Fix crash in the probe error path when using polling
- Kernel CVE: CVE-2024-56576 *(link may be updated as NVD syncs)*

Enable tc358743 polling in your kernel.

2. Simulate/force a probe error — e.g., ensure hardware init fails (disconnect chip, force probe to fail, etc.).

Observe kernel logs: The system may crash or show a warning as soon as the timer triggers.

> Do NOT attempt on production systems! Kernel panics can lead to corrupted filesystems or data loss.

Exploitability & Risk

Real-world exploitation is limited because the bug is a simple use-after-free, not trivially leading to privilege escalation. But on Linux-based appliances and embedded devices with HDMI-CSI-2 chips, a user could trigger denial-of-service (kernel panic) by making the driver probe fail.

Anyone with *physical access* or ability to control hardware connections might be able to take down the device until reboot.

- Original Linux Kernel Patch
- Linux Kernel Media Mailinglist Thread
- CVE-2024-56576 at NIST (Pending)
- tc358743 Kernel Driver Source

Conclusion

CVE-2024-56576 is a great example of how subtle resource management bugs can crash an entire system. If you use media solutions with tc358743 chips or maintain Linux systems with this driver, patch your kernel today!

Always check for timer/resource cleanup in probe error paths when maintaining kernel modules. Small mistakes can bring big systems down.


*Stay safe, patch your systems, and follow us for more deep-dives into real-world Linux vulnerabilities.*

Timeline

Published on: 12/27/2024 15:15:16 UTC
Last modified on: 05/04/2025 09:58:44 UTC