CVE-2024-58056: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set.
AI Analysis
Technical Summary
CVE-2024-58056 is a vulnerability identified in the Linux kernel's remote processor (remoteproc) core subsystem. The issue arises in the rproc_alloc() function, which is responsible for allocating resources for remote processors. Specifically, on encountering an error during allocation, the function calls put_device(&rproc->dev), which triggers rproc_type_release(). However, an error can occur before the ida_alloc() function is called, which is responsible for allocating an ID for the remote processor. Since rproc->index is initialized to 0, the condition (rproc->index >= 0) evaluates to true, leading to a call to ida_free() with an ID that was never allocated. This results in a kernel warning and potentially unstable behavior, as indicated by kernel logs showing warnings such as "ida_free called for id=0 which is not allocated." The root cause is a race or logic error in resource cleanup during error handling, where the ID allocator is freed without a corresponding allocation. The fix involves calling ida_alloc() earlier in rproc_alloc() to ensure rproc->index is properly set before any error paths that might trigger ida_free(). This vulnerability is a logic flaw in kernel resource management rather than a direct memory corruption or privilege escalation bug. It can cause kernel warnings and potentially lead to instability or denial of service due to improper resource handling in the remoteproc subsystem. The affected component is critical for systems using remote processors, such as embedded devices or SoCs with auxiliary cores, including STM32 platforms as indicated by the logs. No known exploits are reported in the wild, and no CVSS score is assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-58056 depends largely on their use of Linux systems that employ the remoteproc subsystem, particularly in embedded or industrial environments. Organizations using Linux-based IoT devices, industrial control systems, or specialized hardware platforms like STM32 microcontrollers could experience kernel instability or denial of service if this vulnerability is triggered. While the vulnerability does not directly allow privilege escalation or remote code execution, the resulting kernel warnings and potential crashes could disrupt critical services or embedded applications. This could affect sectors such as manufacturing, automotive, telecommunications, and critical infrastructure where embedded Linux devices are prevalent. The impact on confidentiality and integrity is minimal, but availability could be affected due to system instability. Since exploitation requires triggering specific error conditions in kernel resource allocation, it is less likely to be exploited remotely without local access or crafted inputs to the kernel subsystem. However, attackers with local access or the ability to load kernel modules could potentially cause denial of service. Given the widespread use of Linux in Europe and the strategic importance of embedded Linux in industrial and IoT deployments, this vulnerability warrants attention to maintain system reliability and uptime.
Mitigation Recommendations
To mitigate CVE-2024-58056, European organizations should: 1) Apply the latest Linux kernel patches that address this issue as soon as they become available, especially for kernels used in embedded or industrial devices. 2) For organizations maintaining custom Linux kernels or embedded distributions, backport the fix that ensures ida_alloc() is called before any error path that might call ida_free(). 3) Monitor kernel logs for warnings related to ida_free() calls with unallocated IDs, which may indicate attempts to trigger this issue or underlying instability. 4) Restrict local access to systems running vulnerable kernels to reduce the risk of exploitation by unauthorized users. 5) In environments where kernel module loading is permitted, enforce strict module signing and loading policies to prevent malicious modules from triggering the vulnerability. 6) Conduct thorough testing of embedded devices and industrial systems after patching to ensure stability and correct operation of remoteproc components. 7) Engage with hardware and Linux distribution vendors to confirm that their releases include the fix and to receive timely updates. These steps go beyond generic advice by focusing on embedded and industrial Linux deployments, local access controls, and proactive monitoring of kernel warnings specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Netherlands, Sweden, Finland
CVE-2024-58056: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set.
AI-Powered Analysis
Technical Analysis
CVE-2024-58056 is a vulnerability identified in the Linux kernel's remote processor (remoteproc) core subsystem. The issue arises in the rproc_alloc() function, which is responsible for allocating resources for remote processors. Specifically, on encountering an error during allocation, the function calls put_device(&rproc->dev), which triggers rproc_type_release(). However, an error can occur before the ida_alloc() function is called, which is responsible for allocating an ID for the remote processor. Since rproc->index is initialized to 0, the condition (rproc->index >= 0) evaluates to true, leading to a call to ida_free() with an ID that was never allocated. This results in a kernel warning and potentially unstable behavior, as indicated by kernel logs showing warnings such as "ida_free called for id=0 which is not allocated." The root cause is a race or logic error in resource cleanup during error handling, where the ID allocator is freed without a corresponding allocation. The fix involves calling ida_alloc() earlier in rproc_alloc() to ensure rproc->index is properly set before any error paths that might trigger ida_free(). This vulnerability is a logic flaw in kernel resource management rather than a direct memory corruption or privilege escalation bug. It can cause kernel warnings and potentially lead to instability or denial of service due to improper resource handling in the remoteproc subsystem. The affected component is critical for systems using remote processors, such as embedded devices or SoCs with auxiliary cores, including STM32 platforms as indicated by the logs. No known exploits are reported in the wild, and no CVSS score is assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-58056 depends largely on their use of Linux systems that employ the remoteproc subsystem, particularly in embedded or industrial environments. Organizations using Linux-based IoT devices, industrial control systems, or specialized hardware platforms like STM32 microcontrollers could experience kernel instability or denial of service if this vulnerability is triggered. While the vulnerability does not directly allow privilege escalation or remote code execution, the resulting kernel warnings and potential crashes could disrupt critical services or embedded applications. This could affect sectors such as manufacturing, automotive, telecommunications, and critical infrastructure where embedded Linux devices are prevalent. The impact on confidentiality and integrity is minimal, but availability could be affected due to system instability. Since exploitation requires triggering specific error conditions in kernel resource allocation, it is less likely to be exploited remotely without local access or crafted inputs to the kernel subsystem. However, attackers with local access or the ability to load kernel modules could potentially cause denial of service. Given the widespread use of Linux in Europe and the strategic importance of embedded Linux in industrial and IoT deployments, this vulnerability warrants attention to maintain system reliability and uptime.
Mitigation Recommendations
To mitigate CVE-2024-58056, European organizations should: 1) Apply the latest Linux kernel patches that address this issue as soon as they become available, especially for kernels used in embedded or industrial devices. 2) For organizations maintaining custom Linux kernels or embedded distributions, backport the fix that ensures ida_alloc() is called before any error path that might call ida_free(). 3) Monitor kernel logs for warnings related to ida_free() calls with unallocated IDs, which may indicate attempts to trigger this issue or underlying instability. 4) Restrict local access to systems running vulnerable kernels to reduce the risk of exploitation by unauthorized users. 5) In environments where kernel module loading is permitted, enforce strict module signing and loading policies to prevent malicious modules from triggering the vulnerability. 6) Conduct thorough testing of embedded devices and industrial systems after patching to ensure stability and correct operation of remoteproc components. 7) Engage with hardware and Linux distribution vendors to confirm that their releases include the fix and to receive timely updates. These steps go beyond generic advice by focusing on embedded and industrial Linux deployments, local access controls, and proactive monitoring of kernel warnings specific to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-06T15:52:09.179Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde240
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 5:40:44 AM
Last updated: 8/7/2025, 12:54:57 PM
Views: 12
Related Threats
CVE-2025-8950: SQL Injection in Campcodes Online Recruitment Management System
MediumCVE-2025-27388: CWE-20 Improper Input Validation in OPPO OPPO HEALTH APP
HighCVE-2025-8949: Stack-based Buffer Overflow in D-Link DIR-825
HighCVE-2025-8948: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-8947: SQL Injection in projectworlds Visitor Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.