Linux Kernel EDAC Error Path Initialization Vulnerability

A vulnerability exists in the Linux kernel's Error Detection and Correction (EDAC) memory controller driver. The issue arises in the 'edac_mc_alloc()' function, where the allocation of private information fails. This failure triggers an error path that calls 'put_device()', which in turn invokes the device's release function. However, the initialization order is incorrect; 'device_initialize()' is called after the allocation failure, leaving the device and its release function pointer uninitialized. This flaw can lead to a warning about an uninitialized kobject being released, as observed in the systemd-udevd process.

Impact

The vulnerability can cause a kernel warning about an uninitialized kobject being released, which may indicate a deeper issue with resource management in the kernel.

Reproduction

The vulnerability can be reproduced by initializing the EDAC memory controller driver on a system running the affected Linux kernel version. When the 'edac_mc_alloc()' function encounters a failure in allocating private information, it will trigger the error path that calls 'put_device()' before the device has been properly initialized. This sequence will generate a warning about the kobject release, indicating that the vulnerability has been successfully reproduced.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.