In the Linux kernel, the following vulnerability has been resolved:
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read().
ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL
Detailed reproduction information available at the Link [1],
In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference.
The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux_kernel | Linux | 2.6.31 (including) | 4.19.306 (excluding) |
| Linux_kernel | Linux | 4.20 (including) | 5.4.268 (excluding) |
| Linux_kernel | Linux | 5.5.0 (including) | 5.10.209 (excluding) |
| Linux_kernel | Linux | 5.11.0 (including) | 5.15.148 (excluding) |
| Linux_kernel | Linux | 5.16.0 (including) | 6.1.75 (excluding) |
| Linux_kernel | Linux | 6.2.0 (including) | 6.6.14 (excluding) |
| Linux_kernel | Linux | 6.7.0 (including) | 6.7.2 (excluding) |