CVE-2024-58067 in Linux
Summary
by MITRE • 03/06/2025
In the Linux kernel, the following vulnerability has been resolved:
clk: mmp: pxa1908-mpmu: Fix a NULL vs IS_ERR() check
The devm_kzalloc() function returns NULL on error, not error pointers. Update the check to match.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability CVE-2024-58067 addresses a critical flaw in the Linux kernel's clock management subsystem, specifically within the Marvell MMP (Multi Media Processor) platform support code. This issue affects the pxa1908-mpmu driver which is responsible for managing clock sources and power management units on Marvell PXA1908 SoC devices. The flaw exists in how the driver handles memory allocation errors during device initialization, creating a potential pathway for system instability or denial of service conditions.
The technical root cause stems from an improper error checking pattern in the device memory allocation routine. The devm_kzalloc() function, which is designed to allocate and zero-initialize memory for device drivers, returns NULL when allocation fails rather than returning an error pointer as some developers might expect. However, the original code was incorrectly checking for IS_ERR() which is the standard macro used to test whether a pointer represents an error value rather than a valid memory address. This mismatch in error checking logic creates a scenario where a NULL return value from devm_kzalloc() is not properly recognized as an error condition, potentially allowing the driver to proceed with uninitialized or invalid memory references.
This vulnerability falls under CWE-476 which specifically addresses NULL pointer dereferences and improper error handling in software systems. The operational impact of this flaw could manifest as system crashes, kernel oops, or device driver failures when the pxa1908-mpmu driver attempts to initialize on affected hardware platforms. Systems running Linux kernels with the vulnerable code may experience unexpected termination of the clock management subsystem, potentially leading to broader system instability affecting device functionality and overall system reliability. The issue is particularly concerning in embedded systems and mobile devices that utilize Marvell PXA1908 processors where this driver is actively employed.
The fix for CVE-2024-58067 involves updating the error checking logic to properly handle the NULL return value from devm_kzalloc() by replacing the IS_ERR() check with a direct NULL comparison. This change aligns the driver's error handling with the documented behavior of the devm_kzalloc() function and follows established kernel development practices for proper memory allocation error management. The remediation process requires updating the driver code to use standard NULL pointer checks rather than error pointer checks for functions that are documented to return NULL on allocation failure. This fix ensures that allocation errors are properly detected and handled, preventing the driver from proceeding with invalid memory references and maintaining system stability.
From an ATT&CK perspective, this vulnerability could be leveraged in privilege escalation scenarios where an attacker might exploit the improper error handling to cause system crashes or potentially gain unauthorized access to system resources. The vulnerability represents a software quality issue that could be classified under the T1499.004 technique for network denial of service attacks through kernel exploitation. System administrators should prioritize patching this vulnerability in production environments, particularly in embedded systems where kernel-level stability is critical for device operation and overall system security posture. The fix demonstrates the importance of adhering to kernel development best practices and proper error handling methodologies to prevent security and stability issues in device drivers and kernel subsystems.