Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26867

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
17/04/2024
Last modified:
03/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: comedi_8255: Correct error in subdevice initialization<br /> <br /> The refactoring done in commit 5c57b1ccecc7 ("comedi: comedi_8255: Rework<br /> subdevice initialization functions") to the initialization of the io<br /> field of struct subdev_8255_private broke all cards using the<br /> drivers/comedi/drivers/comedi_8255.c module.<br /> <br /> Prior to 5c57b1ccecc7, __subdev_8255_init() initialized the io field<br /> in the newly allocated struct subdev_8255_private to the non-NULL<br /> callback given to the function, otherwise it used a flag parameter to<br /> select between subdev_8255_mmio and subdev_8255_io. The refactoring<br /> removed that logic and the flag, as subdev_8255_mm_init() and<br /> subdev_8255_io_init() now explicitly pass subdev_8255_mmio and<br /> subdev_8255_io respectively to __subdev_8255_init(), only<br /> __subdev_8255_init() never sets spriv-&gt;io to the supplied<br /> callback. That spriv-&gt;io is NULL leads to a later BUG:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> PGD 0 P4D 0<br /> Oops: 0010 [#1] SMP PTI<br /> CPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x86_64 #1<br /> Hardware name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<br /> RIP: 0010:0x0<br /> Code: Unable to access opcode bytes at 0xffffffffffffffd6.<br /> RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202<br /> RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b<br /> RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00<br /> RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001<br /> R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000<br /> R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8<br /> FS: 00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0<br /> Call Trace:<br /> <br /> ? __die_body+0x15/0x57<br /> ? page_fault_oops+0x2ef/0x33c<br /> ? insert_vmap_area.constprop.0+0xb6/0xd5<br /> ? alloc_vmap_area+0x529/0x5ee<br /> ? exc_page_fault+0x15a/0x489<br /> ? asm_exc_page_fault+0x22/0x30<br /> __subdev_8255_init+0x79/0x8d [comedi_8255]<br /> pci_8255_auto_attach+0x11a/0x139 [8255_pci]<br /> comedi_auto_config+0xac/0x117 [comedi]<br /> ? __pfx___driver_attach+0x10/0x10<br /> pci_device_probe+0x88/0xf9<br /> really_probe+0x101/0x248<br /> __driver_probe_device+0xbb/0xed<br /> driver_probe_device+0x1a/0x72<br /> __driver_attach+0xd4/0xed<br /> bus_for_each_dev+0x76/0xb8<br /> bus_add_driver+0xbe/0x1be<br /> driver_register+0x9a/0xd8<br /> comedi_pci_driver_register+0x28/0x48 [comedi_pci]<br /> ? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci]<br /> do_one_initcall+0x72/0x183<br /> do_init_module+0x5b/0x1e8<br /> init_module_from_file+0x86/0xac<br /> __do_sys_finit_module+0x151/0x218<br /> do_syscall_64+0x72/0xdb<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> RIP: 0033:0x7f72f50a0cb9<br /> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139<br /> RAX: ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9<br /> RDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e<br /> RBP: 0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000<br /> R10: 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df<br /> R13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8<br /> <br /> Modules linked in: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt e100(+) acpi_cpufreq rtc_cmos usbhid<br /> CR2: 0000000000000000<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:0x0<br /> Code: Unable to access opcode bytes at 0xffffffffffffffd6.<br /> RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202<br /> RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b<br /> RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00<br /> RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001<br /> R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000<br /> R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8<br /> FS: <br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.11 (excluding)
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc7:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools