CVE-2024-26867

In the Linux kernel, the following vulnerability has been resolved: comedi:
comedi_8255: Correct error in subdevice initialization The refactoring done
in commit 5c57b1ccecc7 (“comedi: comedi_8255: Rework subdevice
initialization functions”) to the initialization of the io field of struct
subdev_8255_private broke all cards using the
drivers/comedi/drivers/comedi_8255.c module. Prior to 5c57b1ccecc7,
__subdev_8255_init() initialized the io field in the newly allocated struct
subdev_8255_private to the non-NULL callback given to the function,
otherwise it used a flag parameter to select between subdev_8255_mmio and
subdev_8255_io. The refactoring removed that logic and the flag, as
subdev_8255_mm_init() and subdev_8255_io_init() now explicitly pass
subdev_8255_mmio and subdev_8255_io respectively to __subdev_8255_init(),
only __subdev_8255_init() never sets spriv->io to the supplied callback.
That spriv->io is NULL leads to a later BUG: BUG: kernel NULL pointer
dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP PTI
CPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x86_64 #1 Hardware
name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX RIP:
0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP:
0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX: 0000000000000000 RBX:
ffff91f847aefd00 RCX: 000000000000009b RDX: 0000000000000003 RSI:
0000000000000001 RDI: ffff91f840f6fc00 RBP: ffff91f840f6fc00 R08:
0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11:
000000000000005f R12: 0000000000000000 R13: 0000000000000000 R14:
ffffffffc0102498 R15: ffff91f847ce6ba8 FS: 00007f72f4e8f500(0000)
GS:ffff91f8d5c80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000
CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4:
00000000000406f0 Call Trace: <TASK> ? __die_body+0x15/0x57 ?
page_fault_oops+0x2ef/0x33c ? insert_vmap_area.constprop.0+0xb6/0xd5 ?
alloc_vmap_area+0x529/0x5ee ? exc_page_fault+0x15a/0x489 ?
asm_exc_page_fault+0x22/0x30 __subdev_8255_init+0x79/0x8d [comedi_8255]
pci_8255_auto_attach+0x11a/0x139 [8255_pci] comedi_auto_config+0xac/0x117
[comedi] ? __pfx___driver_attach+0x10/0x10 pci_device_probe+0x88/0xf9
really_probe+0x101/0x248 __driver_probe_device+0xbb/0xed
driver_probe_device+0x1a/0x72 __driver_attach+0xd4/0xed
bus_for_each_dev+0x76/0xb8 bus_add_driver+0xbe/0x1be
driver_register+0x9a/0xd8 comedi_pci_driver_register+0x28/0x48 [comedi_pci]
? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci]
do_one_initcall+0x72/0x183 do_init_module+0x5b/0x1e8
init_module_from_file+0x86/0xac __do_sys_finit_module+0x151/0x218
do_syscall_64+0x72/0xdb entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP:
0033:0x7f72f50a0cb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48 RSP:
002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX:
ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9 RDX:
0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e RBP:
0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000 R10:
0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df R13:
0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8 </TASK>
Modules linked in: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt
e100(+) acpi_cpufreq rtc_cmos usbhid CR2: 0000000000000000 —[ end trace
0000000000000000 ]— RIP: 0010:0x0 Code: Unable to access opcode bytes at
0xffffffffffffffd6. RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX:
0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b RDX:
0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00 RBP:
ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001 R10:
0000000000000000 R11: 000000000000005f R12: 0000000000000000 R13:
0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8 FS:
—truncated—

Notes