CVE-2024-56781 - Patch Closes Linux Kernel Powermac prom_init #size-cells Vulnerability

On some PowerMac systems running Linux, a subtle device tree bug could trigger kernel warnings at boot, potentially destabilizing system initialization. This issue, now tracked as CVE-2024-56781, involved missing #size-cells properties in specific device tree nodes managed by the prom_init code. In this article, we break down how the bug appears, why it matters, code implications, and how it was fixed.

What Was the Problem?

The core problem: Certain PowerMac "escc" device tree nodes were missing the required #size-cells property. Normally, these properties help the operating system understand memory and device layout. When they’re absent, recent versions of the Linux kernel (since commit 045b14ca5c36) started raising warnings.

You'd see something like this in your dmesg or boot logs

Missing '#size-cells' in /pci@f200000/mac-io@c/escc@13000
WARNING: CPU:  PID:  at drivers/of/base.c:133 of_bus_n_size_cells+x98/x108
Hardware name: PowerMac3,1 740 xc0209 PowerMac
...
Call Trace:
 of_bus_n_size_cells+x98/x108 (unreliable)
 of_bus_default_count_cells+x40/x60
 __of_get_address+xc8/x21c
 __of_address_to_resource+x5c/x228
 pmz_init_port+x5c/x2ec
 pmz_probe.isra.+x144/x1e4
 pmz_console_init+x10/x48
 console_init+xcc/x138
 start_kernel+x5c4/x694

This warning chain can confuse system integrators or break boot scripts expecting a silent or normal boot. And while this wasn’t directly used to perform a remote exploit, it did point to a gap in device tree parsing, a frequent hurdle in secure and stable boot interactions.

Device Trees, powermac, and #size-cells

In Linux's device tree framework, #size-cells tells the kernel how to interpret the size of device memory blocks. On PowerMacs, some historic device tree blobs fail to provide this, even though the kernel expects it. Commit 045b14ca5c36 changed the kernel to complain loudly about missing properties.

The particular bug appeared in boot code (prom_init), which is responsible for translating Open Firmware (OF) device tree structures early in the boot process.

Here’s a simplified view where the flow breaks

// device node information accessed during boot
of_node *node = find_node_by_path("/pci@f200000/mac-io@c/escc@13000");
if (!of_get_property(node, "#size-cells", NULL)) {
    pr_warn("Missing '#size-cells' in %pOF\n", node);
    WARN_ON(); // Bug: this triggers kernel warnings.
}

And these warnings stem from using of_bus_n_size_cells in code paths visited during device address resolution.

Solution & Patch

The Fix:
Add the missing #size-cells value dynamically during boot in the prom_init code for PowerMacs, _except_ for escc-legacy nodes (which don't cause problems).

Here’s pseudocode of the rough fix logic

for_each_child_of_node(mac_io_node, escc_node) {
    if (node_is_escc(escc_node) && !escc_is_legacy(escc_node)) {
        if (!of_get_property(escc_node, "#size-cells", NULL)) {
            int one = 1;
            of_add_property(escc_node, "#size-cells", &one, sizeof(one));
        }
    }
}

This ensures that all new boots set up the device tree according to the kernel’s current expectations, eliminating the warning.

You can see this change in the official kernel commit

- powerpc/prom_init: Fixup missing powermac #size-cells

Exploitability & Security Impact

- Risk: Low. This bug is not directly exploitable for privilege escalation or remote attack. However, it could allow denial-of-service if frequent warnings or improper memory setup causes a kernel panic.
- Who’s affected?: Users booting recent kernels on older PowerMac computers, primarily those with legacy device trees.
- What should you do?: If you maintain or rely on Linux running on PowerMac hardware, update to a kernel version containing this fix (June 2024 or later).

Conclusion

CVE-2024-56781 is a textbook example of how device tree correctness matters—even for legacy systems. Small inconsistencies, when paired with kernel validation, can cause big headaches during early boot. Thanks to this fix, future PowerMac boots will be cleaner and more stable.

References

- Kernel Patch Commit: Fixup missing powermac #size-cells
- Linux commit 045b14ca5c36 (of: WARN on deprecated #address-cells/#size-cells)
- Device Tree Documentation (kernel.org)

Stay updated for more kernel fixes and explanations!

*This post is an exclusive breakdown for those maintaining legacy Linux systems and anyone interested in device tree pitstops in the kernel boot process.*

Timeline

Published on: 01/08/2025 18:15:19 UTC
Last modified on: 01/09/2025 21:21:49 UTC