Linux Kernel RFKill GPIO Uninitialized Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's RFKill GPIO handling can lead to a crash due to dereferencing an uninitialized pointer. This issue occurs on x86 systems when the RFKill GPIO driver binds to certain ACPI devices, specifically 'BCM4752' or 'LNV4752'. In these cases, the RFKill type is set based on the ACPI device ID, but without a corresponding 'type' property, the device property read operation fails, leaving the type name uninitialized. This uninitialized pointer can cause a crash when the RFKill type is processed. The vulnerability has been addressed by initializing the type name to NULL before use.

Impact

The vulnerability can cause a system crash by dereferencing a NULL pointer, leading to a kernel panic.

Reproduction

To reproduce this vulnerability, load the RFKill GPIO driver on an x86 system that has a 'BCM4752' or 'LNV4752' ACPI device. The driver will attempt to read the type name from the device properties. Since the 'type' property is missing, the read operation will fail, leaving the type name uninitialized. When the driver subsequently calls a function that processes the type name, the uninitialized pointer will be dereferenced, causing a crash.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.