Linux Kernel VME Fake Driver Initialization Error Handling Vulnerability

A vulnerability exists in the Linux kernel's VME fake driver, specifically in the initialization function 'fake_init()'. The issue arises because the function '__root_device_register()' can fail, but this potential failure is not properly handled. As a result, when the module is unloaded, the unregistration of 'vme_root' can fail, leading to a general protection fault. This fault is likely caused by a non-canonical address, as indicated by the Kernel Address Sanitizer (KASAN) report of a null pointer dereference within a specific memory range. The problem was introduced in version 5.15 and has been fixed in the stable branch.

Impact

The vulnerability can cause a general protection fault due to a null pointer dereference, which is likely triggered by a non-canonical memory address.

Reproduction

To reproduce this vulnerability, load the VME fake driver module. The 'fake_init()' function will be called, which registers a root device for the VME bus. However, if the registration fails, the error is ignored. When the module is later removed, the unregistration process will attempt to deregister the 'vme_root' device. If the device was not properly registered due to the ignored error, this will result in a failure, causing a general protection fault. This fault can be observed as a null pointer dereference in the kernel logs, specifically within the 'root_device_unregister' function.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.