cve/2024/CVE-2024-56685.md

### [CVE-2024-56685](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56685)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=13f58267cda3d6946c8f4de368ad5d4a003baa61%3C%20376f4800f34a28def026ff5c5d4fc5e54e1744ff%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:ASoC: mediatek: Check num_codecs is not zero to avoid panic during probeFollowing commit 13f58267cda3 ("ASoC: soc.h: don't create dummyComponent via COMP_DUMMY()"), COMP_DUMMY() became an array with zerolength, and only gets populated with the dummy struct after the card isregistered. Since the sound card driver's probe happens before the cardregistration, accessing any of the members of a dummy component duringprobe will result in undefined behavior.This can be observed in the mt8188 and mt8195 machine sound drivers. Byomitting a dai link subnode in the sound card's node in the Devicetree,the default uninitialized dummy codec is used, and when its dai_namepointer gets passed to strcmp() it results in a null pointer dereferenceand a kernel panic.In addition to that, set_card_codec_info() in the generic helpers file,mtk-soundcard-driver.c, will populate a dai link with a dummy codec whena dai link node is present in DT but with no codec property.The result is that at probe time, a dummy codec can either beuninitialized with num_codecs = 0, or be an initialized dummy codec,with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order toaccommodate for both situations, check that num_codecs is not zerobefore accessing the codecs' fields but still check for the codec's dainame against "snd-soc-dummy-dai" as needed.While at it, also drop the check that dai_name is not null in the mt8192driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192:Check existence of dai_name before dereferencing"), as it is actuallyredundant given the preceding num_codecs != 0 check.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/cku-heise/euvd-api-doc
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`### [CVE-2024-56685](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56685)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=13f58267cda3d6946c8f4de368ad5d4a003baa61%3C%20376f4800f34a28def026ff5c5d4fc5e54e1744ff%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:ASoC: mediatek: Check num_codecs is not zero to avoid panic during probeFollowing commit 13f58267cda3 ("ASoC: soc.h: don't create dummyComponent via COMP_DUMMY()"), COMP_DUMMY() became an array with zerolength, and only gets populated with the dummy struct after the card isregistered. Since the sound card driver's probe happens before the cardregistration, accessing any of the members of a dummy component duringprobe will result in undefined behavior.This can be observed in the mt8188 and mt8195 machine sound drivers. Byomitting a dai link subnode in the sound card's node in the Devicetree,the default uninitialized dummy codec is used, and when its dai_namepointer gets passed to strcmp() it results in a null pointer dereferenceand a kernel panic.In addition to that, set_card_codec_info() in the generic helpers file,mtk-soundcard-driver.c, will populate a dai link with a dummy codec whena dai link node is present in DT but with no codec property.The result is that at probe time, a dummy codec can either beuninitialized with num_codecs = 0, or be an initialized dummy codec,with num_codecs = 1 and dai_name = "snd-soc-dummy-dai". In order toaccommodate for both situations, check that num_codecs is not zerobefore accessing the codecs' fields but still check for the codec's dainame against "snd-soc-dummy-dai" as needed.While at it, also drop the check that dai_name is not null in the mt8192driver, introduced in commit 4d4e1b6319e5 ("ASoC: mediatek: mt8192:Check existence of dai_name before dereferencing"), as it is actuallyredundant given the preceding num_codecs != 0 check.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/cku-heise/euvd-api-doc`