Linux Kernel Comedi PCL818 Null Pointer Dereference Vulnerability in Asynchronous Command Cancellation

A null pointer dereference vulnerability has been identified in the Linux kernel's Comedi PCL818 driver. This issue arises in the 'pcl818_ai_cancel()' function, particularly when a device is detached early using 'pcl818_detach()'. In such cases, the subdevice's 'read_subdev' may not properly initialize its pointer to the 'comedi_async' structure. Consequently, dereferencing this uninitialized pointer can lead to a general protection fault and a kernel crash. The vulnerability has been addressed by removing the call to 'pcl818_ai_cancel()' from 'pcl818_detach()'. Now, if the subdevice supports asynchronous commands, the cancellation will be managed by the subdevice's own cancellation function, 'comedi_device_detach_locked()', before 'pcl818_detach()' is called. If there is no support for asynchronous commands, no cancellation is needed.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to a non-canonical address, leading to a kernel crash.

Reproduction

The vulnerability can be reproduced by detaching a device that has not fully initialized its asynchronous command pointer in the Comedi PCL818 driver. This can be done by triggering an early device detach, which will result in a null pointer dereference when 'pcl818_ai_cancel()' attempts to access the uninitialized asynchronous command data.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.