CVE-2024-42128 in Linuxinfo

Summary

by MITRE • 07/30/2024

In the Linux kernel, the following vulnerability has been resolved:

leds: an30259a: Use devm_mutex_init() for mutex initialization

In this driver LEDs are registered using devm_led_classdev_register() so they are automatically unregistered after module's remove() is done. led_classdev_unregister() calls module's led_set_brightness() to turn off the LEDs and that callback uses mutex which was destroyed already in module's remove() so use devm API instead.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/29/2025

The vulnerability identified as CVE-2024-42128 resides within the Linux kernel's LED subsystem, specifically affecting the an30259a driver implementation. This issue represents a classic resource management flaw that occurs during driver module cleanup operations. The problem manifests when the kernel attempts to unregister LED devices through the devm_led_classdev_register() function, which automatically handles device cleanup upon module removal. However, the underlying mutex synchronization primitive used by the driver's led_set_brightness() callback function was not properly initialized using the device-managed memory allocation APIs, creating a scenario where critical synchronization resources are prematurely destroyed before they can be safely accessed during the cleanup process.

The technical root cause of this vulnerability stems from improper initialization of synchronization primitives within the driver's lifecycle management. When the an30259a driver module is removed from the kernel, the device manager automatically unregisters all registered LED devices through the devm_led_classdev_register() mechanism. During this cleanup process, led_classdev_unregister() invokes the led_set_brightness() callback function to turn off the LEDs, but this callback attempts to acquire a mutex that was already destroyed during the module removal sequence. This creates a race condition scenario where the mutex destruction occurs before the cleanup callback execution, leading to potential memory corruption or undefined behavior that could be exploited by malicious actors.

The operational impact of this vulnerability extends beyond simple system instability into potential security implications within embedded systems and device drivers that rely on proper synchronization mechanisms. Attackers could potentially exploit this flaw to cause system crashes, data corruption, or in more sophisticated scenarios, gain unauthorized access to system resources through memory corruption exploits. The vulnerability particularly affects systems using the an30259a LED driver, which is commonly found in various embedded devices, IoT platforms, and mobile devices where LED control functionality is implemented. This flaw aligns with CWE-691, which addresses insufficient control flow management, and could potentially be leveraged through ATT&CK techniques involving privilege escalation or system instability.

The resolution for CVE-2024-42128 involves implementing proper device-managed mutex initialization using the devm_mutex_init() function instead of standard mutex initialization methods. This change ensures that the mutex synchronization primitive remains valid throughout the driver's operational lifecycle and is properly cleaned up only after all callbacks have completed execution. The fix follows established best practices for kernel module development and device management, ensuring that all resources allocated through device manager APIs are properly tracked and released in the correct sequence. This approach prevents the premature destruction of synchronization primitives that could lead to memory corruption or system instability during driver cleanup operations. The solution demonstrates adherence to kernel security standards and proper resource lifecycle management principles that are fundamental to maintaining system integrity in embedded and mobile computing environments.

Responsible

Linux

Reservation

07/29/2024

Disclosure

07/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00225

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!