CVE-2024-50224 in Linux
Summary
by MITRE • 11/09/2024
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-fsl-dspi: Fix crash when not using GPIO chip select
Add check for the return value of spi_get_csgpiod() to avoid passing a NULL pointer to gpiod_direction_output(), preventing a crash when GPIO chip select is not used.
Fix below crash: [ 4.251960] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 4.260762] Mem abort info:
[ 4.263556] ESR = 0x0000000096000004
[ 4.267308] EC = 0x25: DABT (current EL), IL = 32 bits
[ 4.272624] SET = 0, FnV = 0
[ 4.275681] EA = 0, S1PTW = 0
[ 4.278822] FSC = 0x04: level 0 translation fault
[ 4.283704] Data abort info:
[ 4.286583] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 4.292074] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 4.297130] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 4.302445] [0000000000000000] user address but active_mm is swapper
[ 4.308805] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 4.315072] Modules linked in:
[ 4.318124] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc4-next-20241023-00008-ga20ec42c5fc1 #359
[ 4.328130] Hardware name: LS1046A QDS Board (DT)
[ 4.332832] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.339794] pc : gpiod_direction_output+0x34/0x5c
[ 4.344505] lr : gpiod_direction_output+0x18/0x5c
[ 4.349208] sp : ffff80008003b8f0
[ 4.352517] x29: ffff80008003b8f0 x28: 0000000000000000 x27: ffffc96bcc7e9068
[ 4.359659] x26: ffffc96bcc6e00b0 x25: ffffc96bcc598398 x24: ffff447400132810
[ 4.366800] x23: 0000000000000000 x22: 0000000011e1a300 x21: 0000000000020002
[ 4.373940] x20: 0000000000000000 x19: 0000000000000000 x18: ffffffffffffffff
[ 4.381081] x17: ffff44740016e600 x16: 0000000500000003 x15: 0000000000000007
[ 4.388221] x14: 0000000000989680 x13: 0000000000020000 x12: 000000000000001e
[ 4.395362] x11: 0044b82fa09b5a53 x10: 0000000000000019 x9 : 0000000000000008
[ 4.402502] x8 : 0000000000000002 x7 : 0000000000000007 x6 : 0000000000000000
[ 4.409641] x5 : 0000000000000200 x4 : 0000000002000000 x3 : 0000000000000000
[ 4.416781] x2 : 0000000000022202 x1 : 0000000000000000 x0 : 0000000000000000
[ 4.423921] Call trace:
[ 4.426362] gpiod_direction_output+0x34/0x5c (P)
[ 4.431067] gpiod_direction_output+0x18/0x5c (L)
[ 4.435771] dspi_setup+0x220/0x334
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/02/2025
The vulnerability CVE-2024-50224 addresses a critical null pointer dereference issue within the Linux kernel's spi-fsl-dspi driver, specifically affecting systems utilizing the Freescale DSPI (Dual SPI) interface. This flaw manifests when the driver attempts to configure GPIO chip select lines without proper validation of the GPIO descriptor returned by spi_get_csgpiod(). The absence of a return value check leads to a scenario where a NULL pointer is passed to gpiod_direction_output(), resulting in a kernel oops and potential system crash. The issue is particularly significant in embedded systems using the LS1046A QDS board as indicated by the crash logs, where the kernel attempts to access virtual address zero during the execution of gpiod_direction_output(). This represents a classic violation of input validation principles and can be categorized under CWE-476 as a NULL pointer dereference, which directly impacts system stability and availability.
The technical exploitation of this vulnerability occurs during the SPI device setup phase when the dspi_setup function is invoked. The driver calls spi_get_csgpiod() to retrieve the GPIO chip select descriptor, but fails to verify whether the returned value is valid before proceeding. When GPIO chip select is not configured or unavailable, this function returns NULL, yet the subsequent call to gpiod_direction_output() does not account for this condition. The kernel's memory management system detects this invalid pointer dereference and generates a data abort exception with ESR code 0x96000004, indicating a data access fault at virtual address zero. This behavior aligns with ATT&CK technique T1490, where system stability is compromised through kernel-level memory corruption, and demonstrates the critical nature of proper error handling in kernel space operations.
The operational impact of CVE-2024-50224 extends beyond simple system crashes to encompass potential denial of service conditions in embedded and industrial environments where SPI communication is essential. Systems utilizing the Freescale DSPI controller, particularly those in networking equipment, automotive applications, or industrial control systems, may experience unexpected system reboots or complete failure of SPI communication capabilities. The vulnerability affects any kernel version incorporating the spi-fsl-dspi driver where GPIO chip select functionality is not explicitly enabled or available, making it particularly concerning for devices that rely on SPI for critical operations. Additionally, the crash occurs early in the boot process as indicated by the timestamp, suggesting that affected systems may fail to complete initialization and become completely non-functional. This vulnerability directly violates kernel security principles and can be exploited by malicious actors to create persistent denial of service conditions, particularly in environments where system reliability is paramount.
Mitigation of CVE-2024-50224 requires immediate application of the kernel patch that introduces proper validation of the spi_get_csgpiod() return value before invoking gpiod_direction_output(). This fix ensures that the driver checks for NULL pointers and handles the absence of GPIO chip select gracefully, either by skipping the GPIO configuration or by implementing appropriate fallback behavior. System administrators should prioritize updating to kernel versions containing this fix, particularly in production environments where SPI communication is critical. Organizations should also implement monitoring for kernel oops events and system crashes related to SPI drivers, as these may indicate the presence of unpatched systems. The fix demonstrates the importance of defensive programming practices in kernel space, where every pointer dereference must be validated to prevent unauthorized access or system instability. Regular kernel updates and security audits of embedded systems are essential to prevent exploitation of similar vulnerabilities, as the ATT&CK framework emphasizes the need for robust kernel-level defenses against memory corruption attacks.