Linux Kernel Regulator Dummy Driver NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's dummy regulator driver can lead to a NULL pointer dereference during boot. This issue arises because the probing of the dummy regulator is not completed, causing a subsequent call to 'kobject_get()' to fail. The problem can occur when the 'dummy_regulator_probe()' and 'anatop_regulator_probe()' functions are executed by different kernel threads, potentially leading to a race condition. Although this vulnerability can be reproduced by forcing asynchronous probing, it is expected that synchronizing the probing would not significantly impact boot time.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, which can lead to a system crash.

Reproduction

The vulnerability can be reproduced by forcing the 'dummy' regulator driver to be probed asynchronously. This can be done by triggering the 'dummy_regulator_probe()' function in one kernel thread while simultaneously calling the 'anatop_regulator_probe()' function in another thread. The resulting race condition causes the 'dummy_regulator_rdev' to remain NULL, leading to a NULL pointer dereference when 'kobject_get()' is called.

Remediation

The vulnerability can be addressed by modifying the 'dummy' regulator driver to ensure that probing is done synchronously, completing the initialization before any dependent functions are called.