Linux Kernel Broadcom SDIO Device Probe Failure Handling Vulnerability

A vulnerability in the Linux kernel's handling of the SDIO Broadcom 'brcmfmac' device can lead to a kernel oops error. This issue arises when the device probe fails, such as due to missing firmware. Instead of setting the bus pointer to NULL, the error state is applied, causing the cleanup function to attempt to free resources using an invalid bus pointer. The problem occurs because the bus pointer is assigned twice: first in 'brcmf_sdio_probe()' and again in 'brcmf_sdiod_probe()'. The vulnerability has been addressed by modifying 'brcmf_sdio_probe()' to return an error code and only set the bus pointer when the probe is successful.

Impact

The vulnerability can cause a kernel oops, which is a type of error that leads to a system crash or instability.

Reproduction

To reproduce this vulnerability, attempt to probe a Broadcom SDIO device using the 'brcmfmac' driver without the necessary firmware. The probe will fail, but instead of properly handling the error by setting the bus pointer to NULL, it will be set to an error state. When the cleanup function 'brcmf_sdio_remove()' is called, it will try to free resources using the invalid bus pointer, leading to a kernel oops error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.