Linux Kernel Greybus Lights NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's Greybus lights implementation can lead to a NULL pointer dereference. The issue arises in the 'gb_lights_light_config' function, which stores the channel count before allocating the channels array. If the memory allocation fails, the release function attempts to access the channels, resulting in a NULL dereference. This vulnerability affects the staging area of the Greybus lights driver.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the affected component or application.

Reproduction

The vulnerability can be reproduced by configuring a Greybus light with a channel count that exceeds the available memory, causing the 'kcalloc' function to fail. The 'gb_lights_release' function will then iterate over the non-zero channel count and attempt to access the 'light->channels' pointer, which will be NULL, resulting in a crash.

Remediation

The vulnerability has been addressed by modifying the channel allocation process. Channels are now allocated before the channel count is published, preventing the release function from dereferencing a NULL pointer. Users should update to the latest version of the Linux kernel where this fix has been applied.