In early 2024, a flaw was discovered in the device tree files (DTS) for Loongson64 systems in the Linux kernel. Identified as CVE-2024-56785, this vulnerability affected the way PCIe port nodes were defined for the Loongson ls7a chipset, potentially leading to boot warnings and misconfigured device trees, and even exploitable runtime kernel misbehavior.
This article breaks down CVE-2024-56785 in a simple way, demonstrates how it appeared, details the fix, and explores what could go wrong if left unpatched (exploit scenario). You’ll also find links to the upstream commit and further references.
What Was the Vulnerability?
Device Tree Source (DTS) files describe hardware for the Linux kernel. For Loongson64’s ls7a platform, the PCIe port nodes were misconfigured. The kernel’s device tree compiler (dtc) and runtime system issued warnings about:
Sample warning
arch/mips/boot/dts/loongson/ls7a-pch.dtsi:68.16-416.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider
WARNING: CPU: PID: 1 at drivers/of/base.c:106 of_bus_n_addr_cells+x9c/xe
Missing '#address-cells' in /bus@10000000/pci@1a000000/pci_bridge@9,
Why Is This a Security or Reliability Problem?
- Malformed device trees can trip up kernel device handling, causing missed interrupts or even kernel panics.
- Interrupt remapping bugs could be further exploited to cause Denial of Service (DoS) or escalate privileges, especially if a local attacker can influence device initialization or hardware hotplug.
- Silent kernel misbehavior: Peripheral devices may not be detected, or incorrect operations may occur.
The Exploit Scenario
Imagine a cloud where guests can boot custom kernels or device trees (common in research environments or PaaS providers). By tweaking the broken device tree entry, an attacker could:
- Exploit the kernel crash path (NULL pointer dereference or OOPSes) when the system encounters malformed #address-cells or #interrupt-cells properties.
Potentially stop device initialization—creating a denial-of-service vector.
- Build a local privilege escalation if they hit a kernel code path relying on these properties (specific to LS7A PCIe).
Proof of concept
A modified device tree (based on the vulnerable version) triggers the kernel warning/OOPS.
// Vulnerable snippet before fix (stripped for clarity)
pci@1a000000 {
#interrupt-cells = <1>;
// missing interrupt-controller or improper mapping
pcie-bridge@9, {
// missing #address-cells
};
};
Result: On boot, the kernel will emit warnings and may panic or misconfigure hardware.
How Was It Fixed?
The fix—see commit 045b14ca5c36 and d89a415ff8d5—properly defined the PCIe root port nodes, ensuring:
Fixed code snippet
pci@1a000000 {
#address-cells = <3>;
#size-cells = <2>;
// If providing interrupts:
interrupt-controller;
#interrupt-cells = <1>;
...
pcie-bridge@9, {
#address-cells = <2>;
#size-cells = <2>;
};
};
This ensures a clean boot—no warnings during dtc compile or at runtime.
Can This Be Exploited on My System?
If you run a Loongson64 device with an unpatched kernel or outdated device tree, your system is exposed to instability and potential targeted attacks using device tree manipulation. In curated datacenter environments, risk is low; in research or custom-boot setups, the risk is higher.
References
- Upstream kernel fix (commit 045b14ca5c36)
- Earlier related fix (commit d89a415ff8d5)
- Loongson64 Device Tree Discussion Thread (LKML)
- Linux Device Trees — Documentation
Conclusion
CVE-2024-56785 is a prime example of how hardware description bugs can quietly introduce system instability and security risks, especially on sophisticated SoCs like Loongson64 LS7A. Always update your kernel and device trees, and double-check your boot warnings!
If you are impacted, patch now—and stay safe.
Timeline
Published on: 01/08/2025 18:15:19 UTC
Last modified on: 01/20/2025 06:28:07 UTC