Linux Kernel Cros Ec Keyboard Driver Invalid Memory Access Vulnerability

A vulnerability has been identified in the Linux kernel's Cros EC keyboard driver, specifically in the handling of key matrix events. When the function 'cros_ec_keyb_register_matrix()' is not called due to the 'buttons_switches_only' condition, the device input interface remains uninitialized. This oversight leads to an invalid memory access in 'cros_ec_keyb_process()', triggered by an 'EC_MKBP_EVENT_KEY_MATRIX' event. The kernel attempts to read from a virtual memory address that is not accessible, causing a fault. The issue arises because the driver does not properly initialize the necessary components before processing events, leaving the system vulnerable to memory access violations.

Impact

Exploitation of this vulnerability causes a kernel panic due to an invalid memory access, where the kernel tries to read from an unreadable memory address, leading to a crash.

Reproduction

To reproduce this vulnerability, load the Cros EC keyboard driver without initializing the key matrix registration. This can be done by setting the 'buttons_switches_only' option, which prevents the 'cros_ec_keyb_register_matrix()' function from being called during the probe process. Once the driver is loaded under these conditions, the vulnerability can be triggered by sending an 'EC_MKBP_EVENT_KEY_MATRIX' event to the driver, which will result in the kernel attempting to read from an invalid memory address and causing a crash.

Remediation

Users can ensure that the Cros EC keyboard driver properly initializes the key matrix by avoiding the 'buttons_switches_only' condition when loading the driver.