In the Linux kernel, the following vulnerability has been resolved:
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read().
ubigluebiinit ubiregistervolumenotifier ubienumeratevolumes ubinotifyall gluebinotify nb->notifiercall() gluebicreate mtddeviceregister mtddeviceparseregister addmtddevice blktransnotifyadd not->add() ftladdmtd tr->addmtd() scanheader mtdread mtdreadoob mtdreadoobstd gluebiread mtd->read() gluebi->desc - NULL
Detailed reproduction information available at the Link [1],
In the normal case, obtain gluebi->desc in the gluebigetdevice(), and access gluebi->desc in the gluebiread(). However, gluebigetdevice() is not executed in advance in the ftladd_mtd() process, which leads to NULL pointer dereference.
The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.