CVE-2024-50292 in Linux
Summary
by MITRE • 11/19/2024
In the Linux kernel, the following vulnerability has been resolved:
ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove
In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not null. So the release of the dma channel leads to the following issue: [ 4.879000] st,stm32-spdifrx 500d0000.audio-controller:
dma_request_slave_channel error -19 [ 4.888975] Unable to handle kernel NULL pointer dereference
at virtual address 000000000000003d [...]
[ 5.096577] Call trace:
[ 5.099099] dma_release_channel+0x24/0x100
[ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx]
[ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]
To avoid this issue, release channel only if the pointer is valid.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/02/2025
The vulnerability CVE-2024-50292 represents a critical NULL pointer dereference issue within the Linux kernel's sound subsystem, specifically affecting the stm32 spdifrx audio driver. This flaw exists in the audio controller driver for stm32 microcontrollers and demonstrates a classic programming error where device resources are not properly validated before being released. The vulnerability stems from improper handling of DMA channel allocation failures in the audio subsystem, creating a scenario where the kernel attempts to release a DMA channel that was never successfully allocated. The issue manifests when the ctrl_chan DMA channel request fails with error code -19, indicating a resource not available condition, yet the driver continues to attempt channel release operations without proper validation. This type of error falls under CWE-476 which specifically addresses NULL pointer dereferences, representing one of the most common and dangerous classes of software vulnerabilities in kernel space code.
The technical implementation flaw occurs during the device removal process where the stm32_spdifrx_remove function attempts to release DMA channels without verifying whether they were successfully allocated. When dma_request_slave_channel fails, it returns a non-null pointer that points to an invalid or corrupted DMA channel structure, but the driver does not check for this condition before proceeding with dma_release_channel operations. The kernel's call trace shows the execution path leading directly to the kernel NULL pointer dereference at virtual address 0x3d, which is typically the result of attempting to access a field within a corrupted or improperly initialized DMA channel structure. This particular error demonstrates poor error handling practices in kernel drivers where the assumption that a resource allocation was successful is made without proper validation, a pattern that violates fundamental kernel security principles and can lead to system crashes or potential privilege escalation.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling denial of service attacks against embedded systems running the affected Linux kernel versions. In automotive or industrial applications where stm32-based audio controllers are commonly deployed, this vulnerability could result in complete system failures during critical operations, particularly when audio subsystems are being initialized or removed. The vulnerability affects systems using the snd_soc_stm32_spdifrx kernel module, which is part of the Advanced SoC (ASoC) framework for audio drivers in Linux, making it relevant to a wide range of embedded devices including IoT appliances, automotive infotainment systems, and industrial control equipment. Attackers could potentially exploit this vulnerability by triggering the specific error condition during device removal, causing system instability or complete system hangs, which aligns with ATT&CK technique T1499.201 for resource hijacking and system instability.
The recommended mitigation strategy involves implementing proper null pointer validation before attempting DMA channel release operations, ensuring that only successfully allocated DMA channels are released. This fix requires modifying the stm32_spdifrx_remove function to check if the ctrl_chan pointer is valid before calling dma_release_channel, a pattern that aligns with the principle of defensive programming and proper resource management in kernel space. System administrators should update their embedded systems to kernel versions containing this fix, as the vulnerability affects the core audio subsystem functionality and cannot be effectively mitigated through configuration changes alone. The fix specifically addresses the root cause by ensuring that the driver only releases DMA channels that were actually successfully requested, preventing the NULL pointer dereference that leads to kernel oops and system instability. This vulnerability highlights the importance of rigorous error handling in kernel drivers and demonstrates how seemingly minor programming oversights can have significant security implications in embedded systems where reliability and stability are paramount.