Linux Kernel Memory Access Vulnerability in Regulator Max20086

A vulnerability in the Linux kernel's handling of the max20086 regulator can lead to invalid memory access. The issue arises in the 'max20086_parse_regulators_dt' function, which uses an array of 'of_regulator_match' structures allocated on the stack. This array is passed to 'of_regulator_match', which in turn calls 'devm_of_regulator_put_matches()' to deallocate the memory. If the device probing fails, 'devm_of_regulator_put_matches()' attempts to access the stack-allocated array, leading to a crash and a stack trace that reveals the call flow. The vulnerability can be reproduced by causing the device probe to fail, which triggers the invalid memory access.

Impact

Exploitation of this vulnerability causes a kernel crash due to a stack corruption, as the system attempts to access a pointer that has gone out of scope, leading to a failure in the device's regulator management.

Reproduction

The vulnerability can be reproduced by causing the max20086 device to fail during the probing process. This can be done by simulating a failure in the 'DEVICE_ID' register read, which will trigger the 'devm_of_regulator_put_matches()' function to access the stack-allocated 'matches' array after it has gone out of scope, resulting in a crash.

Remediation

The vulnerability has been addressed by changing the allocation of the 'matches' array to use 'devm_kcalloc()', which prevents the stack pointer from being accessed after it has gone out of scope. This modification also allows multiple max20086 devices to be probed simultaneously without data conflicts.