CVE-2024-26867

In the Linux kernel, the following vulnerability has been resolved:

comedi: comedi_8255: Correct error in subdevice initialization

The refactoring done in commit 5c57b1ccecc7 ("comedi: comedi8255: Rework subdevice initialization functions") to the initialization of the io field of struct subdev8255private broke all cards using the drivers/comedi/drivers/comedi8255.c module.

Prior to 5c57b1ccecc7, _subdev8255init() initialized the io field in the newly allocated struct subdev8255private to the non-NULL callback given to the function, otherwise it used a flag parameter to select between subdev8255mmio and subdev8255io. The refactoring removed that logic and the flag, as subdev8255mminit() and subdev8255ioinit() now explicitly pass subdev8255mmio and subdev8255io respectively to _subdev8255init(), only _subdev8255_init() never sets spriv->io to the supplied callback. That spriv->io is NULL leads to a later BUG:

BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP PTI CPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x8664 #1 Hardware name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00 RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000 R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8 FS: 00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0 Call Trace: <TASK> ? diebody+0x15/0x57 ? pagefaultoops+0x2ef/0x33c ? insertvmaparea.constprop.0+0xb6/0xd5 ? allocvmaparea+0x529/0x5ee ? excpagefault+0x15a/0x489 ? asmexcpagefault+0x22/0x30 _subdev8255init+0x79/0x8d [comedi8255] pci8255autoattach+0x11a/0x139 [8255pci] comediautoconfig+0xac/0x117 [comedi] ? _pfxdriverattach+0x10/0x10 pcideviceprobe+0x88/0xf9 reallyprobe+0x101/0x248 _driverprobedevice+0xbb/0xed driverprobedevice+0x1a/0x72 _driverattach+0xd4/0xed busforeachdev+0x76/0xb8 busadddriver+0xbe/0x1be driverregister+0x9a/0xd8 comedipcidriverregister+0x28/0x48 [comedipci] ? _pfxpci8255driverinit+0x10/0x10 [8255pci] dooneinitcall+0x72/0x183 doinitmodule+0x5b/0x1e8 initmodulefromfile+0x86/0xac _dosysfinitmodule+0x151/0x218 dosyscall64+0x72/0xdb entrySYSCALL64afterhwframe+0x6e/0x76 RIP: 0033:0x7f72f50a0cb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIGRAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9 RDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e RBP: 0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000 R10: 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df R13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8 </TASK> Modules linked in: 8255pci(+) comedi8255 comedipci comedi intelgtt e100(+) acpicpufreq rtccmos usbhid CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00 RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000 R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8 FS: ---truncated---