CVE-2024-50232 in Linuxinfo

Summary

by MITRE • 11/09/2024

In the Linux kernel, the following vulnerability has been resolved:

iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()

In the ad7124_write_raw() function, parameter val can potentially be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST() is called within ad7124_set_channel_odr(). The ad7124_write_raw() function is invoked through the sequence: iio_write_channel_raw() -> iio_write_channel_attribute() -> iio_channel_write(), with no checks in place to ensure val is non-zero.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/02/2025

The vulnerability identified as CVE-2024-50232 represents a critical division by zero flaw within the Linux kernel's industrial I/O (IIO) subsystem, specifically affecting the ad7124 analog-to-digital converter driver. This issue manifests in the ad7124_set_channel_odr() function where the DIV_ROUND_CLOSEST() macro is invoked without proper validation of the input parameter val, which can legitimately assume a zero value during normal operation. The ad7124 driver is part of the broader IIO framework that provides standardized interfaces for sensor and measurement devices in embedded systems, making this vulnerability particularly concerning for industrial automation and embedded computing environments where such ADCs are commonly deployed.

The technical execution path of this vulnerability begins with the ad7124_write_raw() function being called through the standard IIO channel write interface chain iio_write_channel_raw() -> iio_write_channel_attribute() -> iio_channel_write(). This sequence does not include any pre-validation to ensure that the val parameter remains non-zero before it reaches the problematic division operation within ad7124_set_channel_odr(). The DIV_ROUND_CLOSEST() macro, which is commonly used in kernel code for rounding division operations, becomes a point of failure when passed a zero denominator, resulting in immediate system termination or potential memory corruption. This flaw directly violates the fundamental principle of defensive programming and represents a classic example of inadequate input validation that can lead to system crashes or unauthorized code execution.

The operational impact of CVE-2024-50232 extends beyond simple system crashes to potentially compromise entire embedded systems that rely on the ad7124 ADC for critical measurements. In industrial control systems, medical devices, automotive applications, and IoT deployments where precise analog measurements are essential, a division by zero error can cause complete system failure, leading to safety hazards or operational downtime. The vulnerability affects systems using the ad7124 ADC chip manufactured by Analog Devices, which is widely deployed in applications requiring high-precision analog-to-digital conversion. From an attack surface perspective, this vulnerability could be exploited by malicious actors to cause denial of service in embedded systems, potentially leading to cascading failures in connected infrastructure. The flaw also represents a violation of the principle of least privilege as it allows an unprivileged user or process to trigger kernel-level crashes through seemingly benign IIO channel attribute writes.

Mitigation strategies for CVE-2024-50232 must address both immediate patching requirements and long-term defensive programming practices. The primary solution involves applying the kernel patch that introduces proper validation of the val parameter before invoking DIV_ROUND_CLOSEST(), ensuring that zero values are either rejected or handled gracefully through alternative computation paths. System administrators should prioritize updating affected kernel versions, particularly in production environments where the ad7124 ADC driver is actively used. Additionally, implementing proper input validation at the IIO subsystem level can help prevent similar vulnerabilities in other ADC drivers within the same framework. Organizations should also consider monitoring for anomalous IIO channel write operations that might indicate exploitation attempts. This vulnerability aligns with CWE-369, which specifically addresses the division by zero error condition, and could potentially map to ATT&CK technique T1499.004 for denial of service attacks targeting kernel-level components. The remediation process should include comprehensive testing of IIO subsystem functionality to ensure that the patch does not introduce regressions in legitimate ADC operations while maintaining the system's ability to handle edge cases in channel configuration.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00248

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!