Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
Input: cros_ec_keyb - fix an invalid memory access
If cros_ec_keyb_register_matrix() isn’t called (due to
buttons_switches_only) in cros_ec_keyb_probe(), ckdev->idev remains
NULL. An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.
Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 … x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread
It’s still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn’t access ckdev->idev and friends if
the driver doesn’t intend to initialize them.
Details
- Affected product:
- Oracle Linux 7 ELS , Ubuntu 20.04 ELS
- Affected packages:
- kernel-uek @ 5.4.17 (+2 more)
In the Linux kernel, the following vulnerability has been resolved:
Input: cros_ec_keyb - fix an invalid memory access
If cros_ec_keyb_register_matrix() isn’t called (due to
buttons_switches_only) in cros_ec_keyb_probe(), ckdev->idev remains
NULL. An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.
Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 … x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread
It’s still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn’t access ckdev->idev and friends if
the driver doesn’t intend to initialize them.