fkie_cve-2024-26867
Vulnerability from fkie_nvd
Published
2024-04-17 11:15
Modified
2025-03-04 15:48
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: comedi: comedi_8255: Correct error in subdevice initialization The refactoring done in commit 5c57b1ccecc7 ("comedi: comedi_8255: Rework subdevice initialization functions") to the initialization of the io field of struct subdev_8255_private broke all cards using the drivers/comedi/drivers/comedi_8255.c module. Prior to 5c57b1ccecc7, __subdev_8255_init() initialized the io field in the newly allocated struct subdev_8255_private to the non-NULL callback given to the function, otherwise it used a flag parameter to select between subdev_8255_mmio and subdev_8255_io. The refactoring removed that logic and the flag, as subdev_8255_mm_init() and subdev_8255_io_init() now explicitly pass subdev_8255_mmio and subdev_8255_io respectively to __subdev_8255_init(), only __subdev_8255_init() never sets spriv->io to the supplied callback. That spriv->io is NULL leads to a later BUG: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP PTI CPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x86_64 #1 Hardware name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00 RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000 R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8 FS: 00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0 Call Trace: <TASK> ? __die_body+0x15/0x57 ? page_fault_oops+0x2ef/0x33c ? insert_vmap_area.constprop.0+0xb6/0xd5 ? alloc_vmap_area+0x529/0x5ee ? exc_page_fault+0x15a/0x489 ? asm_exc_page_fault+0x22/0x30 __subdev_8255_init+0x79/0x8d [comedi_8255] pci_8255_auto_attach+0x11a/0x139 [8255_pci] comedi_auto_config+0xac/0x117 [comedi] ? __pfx___driver_attach+0x10/0x10 pci_device_probe+0x88/0xf9 really_probe+0x101/0x248 __driver_probe_device+0xbb/0xed driver_probe_device+0x1a/0x72 __driver_attach+0xd4/0xed bus_for_each_dev+0x76/0xb8 bus_add_driver+0xbe/0x1be driver_register+0x9a/0xd8 comedi_pci_driver_register+0x28/0x48 [comedi_pci] ? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci] do_one_initcall+0x72/0x183 do_init_module+0x5b/0x1e8 init_module_from_file+0x86/0xac __do_sys_finit_module+0x151/0x218 do_syscall_64+0x72/0xdb entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7f72f50a0cb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9 RDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e RBP: 0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000 R10: 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df R13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8 </TASK> Modules linked in: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt e100(+) acpi_cpufreq rtc_cmos usbhid CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00 RBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000 R13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8 FS: ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4a825457a45d8debc46ab8cba57d47462411710dPatch, Mailing List
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cfa9ba1ae0bef0681833a22d326174fe633caab5Patch, Mailing List
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4a825457a45d8debc46ab8cba57d47462411710dPatch, Mailing List
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/cfa9ba1ae0bef0681833a22d326174fe633caab5Patch, Mailing List
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD",
              "versionEndExcluding": "6.7.11",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F02056A5-B362-4370-9FF8-6F0BD384D520",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "62075ACE-B2A0-4B16-829D-B3DA5AE5CC41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "A780F817-2A77-4130-A9B7-5C25606314E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "AEB9199B-AB8F-4877-8964-E2BA95B5F15C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "C9B8A5CE-6D20-4C36-AC01-ACA4B70003A8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: comedi_8255: Correct error in subdevice initialization\n\nThe refactoring done in commit 5c57b1ccecc7 (\"comedi: comedi_8255: Rework\nsubdevice initialization functions\") to the initialization of the io\nfield of struct subdev_8255_private broke all cards using the\ndrivers/comedi/drivers/comedi_8255.c module.\n\nPrior to 5c57b1ccecc7, __subdev_8255_init() initialized the io field\nin the newly allocated struct subdev_8255_private to the non-NULL\ncallback given to the function, otherwise it used a flag parameter to\nselect between subdev_8255_mmio and subdev_8255_io. The refactoring\nremoved that logic and the flag, as subdev_8255_mm_init() and\nsubdev_8255_io_init() now explicitly pass subdev_8255_mmio and\nsubdev_8255_io respectively to __subdev_8255_init(), only\n__subdev_8255_init() never sets spriv-\u003eio to the supplied\ncallback. That spriv-\u003eio is NULL leads to a later BUG:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP PTI\nCPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x86_64 #1\nHardware name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b\nRDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00\nRBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001\nR10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000\nR13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8\nFS:  00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0\nCall Trace:\n \u003cTASK\u003e\n ? __die_body+0x15/0x57\n ? page_fault_oops+0x2ef/0x33c\n ? insert_vmap_area.constprop.0+0xb6/0xd5\n ? alloc_vmap_area+0x529/0x5ee\n ? exc_page_fault+0x15a/0x489\n ? asm_exc_page_fault+0x22/0x30\n __subdev_8255_init+0x79/0x8d [comedi_8255]\n pci_8255_auto_attach+0x11a/0x139 [8255_pci]\n comedi_auto_config+0xac/0x117 [comedi]\n ? __pfx___driver_attach+0x10/0x10\n pci_device_probe+0x88/0xf9\n really_probe+0x101/0x248\n __driver_probe_device+0xbb/0xed\n driver_probe_device+0x1a/0x72\n __driver_attach+0xd4/0xed\n bus_for_each_dev+0x76/0xb8\n bus_add_driver+0xbe/0x1be\n driver_register+0x9a/0xd8\n comedi_pci_driver_register+0x28/0x48 [comedi_pci]\n ? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci]\n do_one_initcall+0x72/0x183\n do_init_module+0x5b/0x1e8\n init_module_from_file+0x86/0xac\n __do_sys_finit_module+0x151/0x218\n do_syscall_64+0x72/0xdb\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f72f50a0cb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9\nRDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e\nRBP: 0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000\nR10: 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df\nR13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8\n \u003c/TASK\u003e\nModules linked in: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt e100(+) acpi_cpufreq rtc_cmos usbhid\nCR2: 0000000000000000\n---[ end trace 0000000000000000 ]---\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b\nRDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00\nRBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001\nR10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000\nR13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8\nFS: \n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: comedi: comedi_8255: Corregir error en la inicializaci\u00f3n del subdispositivo La refactorizaci\u00f3n realizada en el commit 5c57b1ccecc7 (\"comedi: comedi_8255: Rework subdevice inicializationfunctions\") a la inicializaci\u00f3n del campo io de la estructura subdev_8255_private se rompi\u00f3 todas las tarjetas que utilizan el m\u00f3dulo drivers/comedi/drivers/comedi_8255.c. Antes de 5c57b1ccecc7, __subdev_8255_init() inicializaba el campo io en la estructura subdev_8255_private reci\u00e9n asignada a la devoluci\u00f3n de llamada no NULL proporcionada a la funci\u00f3n; de lo contrario, usaba un par\u00e1metro de marca para seleccionar entre subdev_8255_mmio y subdev_8255_io. La refactorizaci\u00f3n elimin\u00f3 esa l\u00f3gica y la bandera, ya que subdev_8255_mm_init() y subdev_8255_io_init() ahora pasan expl\u00edcitamente subdev_8255_mmio y subdev_8255_io respectivamente a __subdev_8255_init(), solo __subdev_8255_init() nunca establece spriv-\u0026gt;io en la devoluci\u00f3n de llamada proporcionada. Que spriv-\u0026gt;io sea NULL conduce a un ERROR posterior: ERROR: desreferencia del puntero NULL del n\u00facleo, direcci\u00f3n: 0000000000000000 PGD 0 P4D 0 Ups: 0010 [#1] SMP PTI CPU: 1 PID: 1210 Comm: systemd-udevd No contaminado 6.7 .3-x86_64 #1 Nombre de hardware: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX RIP: 0010:0x0 C\u00f3digo: No se puede acceder a los bytes del c\u00f3digo de operaci\u00f3n en 0xffffffffffffffd6. RSP: 0018: FFFFA3F1C02D7B78 EFLAGS: 00010202 RAX: 000000000000000000 RBX: FFFF91F847AEFD00 RCX: 00000000000000009B RDX: 00000000000003 RSI: 00000000000001 RDI: FFF91F840F6FC00 R08: 000000000000000000 R09: 000000000000000001 R10: 000000000000000000 R11: 000000000000005F R12: 0000000000000000000000000000: 0000000000000000 RUBI R15: ffff91f847ce6ba8 FS: 00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:00000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050 033 CR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0 Seguimiento de llamadas:  ? __die_body+0x15/0x57 ? page_fault_oops+0x2ef/0x33c? insert_vmap_area.constprop.0+0xb6/0xd5? alloc_vmap_area+0x529/0x5ee? exc_page_fault+0x15a/0x489? asm_exc_page_fault+0x22/0x30 __subdev_8255_init+0x79/0x8d [comedi_8255] pci_8255_auto_attach+0x11a/0x139 [8255_pci] comedi_auto_config+0xac/0x117 [comedi] ? __pfx___driver_attach+0x10/0x10 pci_device_probe+0x88/0xf9 very_probe+0x101/0x248 __driver_probe_device+0xbb/0xed driver_probe_device+0x1a/0x72 __driver_attach+0xd4/0xed bus_for_each_dev+0x76/0xb 8 bus_add_driver+0xbe/0x1be driver_register+0x9a/0xd8 comedi_pci_driver_register+0x28/0x48 [comedia_pci] ? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci] do_one_initcall+0x72/0x183 do_init_module+0x5b/0x1e8 init_module_from_file+0x86/0xac __do_sys_finit_module+0x151/0x218 do_syscall_ 64+0x72/0xdb Entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7f72f50a0cb9 C\u00f3digo: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: X: 00007f72f50a0cb9 RDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e RBP: 00000000000000000 R08: 00007f72f5168b20 0000000000000000 R10 : 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df R13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8 K\u0026gt; M\u00f3dulos vinculados en: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt e100(+) acpi_cpufreq rtc_cmos usbhid CR2: 00000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:0x0 C\u00f3digo: No se puede acceder a los bytes del c\u00f3digo de operaci\u00f3n en 0xffffffffffffffd6. RSP: 0018: FFFFA3F1C02D7B78 EFLAGS: 00010202 RAX: 000000000000000000 RBX: FFFF91F847AEFD00 RCX: 00000000000000009B RDX: 00000000000003 RSI: 00000000000001 RDI: FFF91F840F6FC00  ---truncado---"
    }
  ],
  "id": "CVE-2024-26867",
  "lastModified": "2025-03-04T15:48:35.900",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-04-17T11:15:09.303",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch",
        "Mailing List"
      ],
      "url": "https://git.kernel.org/stable/c/4a825457a45d8debc46ab8cba57d47462411710d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch",
        "Mailing List"
      ],
      "url": "https://git.kernel.org/stable/c/cfa9ba1ae0bef0681833a22d326174fe633caab5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Mailing List"
      ],
      "url": "https://git.kernel.org/stable/c/4a825457a45d8debc46ab8cba57d47462411710d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Mailing List"
      ],
      "url": "https://git.kernel.org/stable/c/cfa9ba1ae0bef0681833a22d326174fe633caab5"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.