Linux Kernel GPIO Character Device NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's GPIO character device handling can lead to NULL pointer dereferences, causing a kernel crash. This issue arises when GPIO lines are requested, the corresponding GPIO device is unbound, and then system calls such as ioctl(), read(), or poll() are invoked on the GPIO character device's anonymous file descriptors. While this vulnerability was observed with the GPIO simulator, it also affects any GPIO devices that can be hot-unplugged, such as HID GPIO expanders like the CP2112. The vulnerability impacts both version 1 and version 2 of the GPIO userspace API.

Impact

Exploitation of this vulnerability can lead to a denial of service condition by causing the kernel to crash.

Reproduction

To reproduce this vulnerability, request GPIO lines through the character device interface. Once the lines are requested, unbind the GPIO device, effectively hot-unplugging it. After the device has been unbound, invoke any of the system calls related to the GPIO character device's anonymous file descriptors, such as ioctl(), read(), or poll(). This sequence of actions will trigger the NULL pointer dereference, causing a kernel crash.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree to address this vulnerability.