From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from fhigh-a6-smtp.messagingengine.com (fhigh-a6-smtp.messagingengine.com [103.168.172.157])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B62030B525
	for <linux-kernel@vger.kernel.org>; Fri, 28 Nov 2025 12:18:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=103.168.172.157
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764332300; cv=none; b=u+ZXV5AbuAWW/6TgKExAliY8fTmUqwo7r7n72LDKExvZt6xOrITvt1YtluRIN5OMr5t3Xc39zlK1NBQqCjW/P5SXVAWJDWdnYhOW+o+n6riAgoqCffISPlZYRcw+5S1TpCN/kkkZUW1acOPll6PMDTPxgMsEWw4m5JDEwqG+uUI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764332300; c=relaxed/simple;
	bh=7N8hw3SL0awsqStdIp6+uCId8GwPOz0kyp7O5RYnjfY=;
	h=MIME-Version:Date:From:To:Cc:Message-Id:In-Reply-To:References:
	 Subject:Content-Type; b=dLZDSVBSj+gPwo9cNs8vLI9jJN1D+GnGeo7YXtsx/9xazx7Y8DUmQNhD1QMDktWg5O2+C2OfZbcc4hP6k63rEPAYlELKaGaxpnVIxZ0DVkQOOZ6jkvO8iIG/48McLjUS7tNaY82dn3OqS/ZfwXLyalB66ngARwClgV5xNn/k3xc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arndb.de; spf=pass smtp.mailfrom=arndb.de; dkim=pass (2048-bit key) header.d=arndb.de header.i=@arndb.de header.b=O8jNzxpP; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=ZiEN++5C; arc=none smtp.client-ip=103.168.172.157
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arndb.de
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arndb.de
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=arndb.de header.i=@arndb.de header.b="O8jNzxpP";
	dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="ZiEN++5C"
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44])
	by mailfhigh.phl.internal (Postfix) with ESMTP id 1336E1400053;
	Fri, 28 Nov 2025 07:18:16 -0500 (EST)
Received: from phl-imap-17 ([10.202.2.105])
  by phl-compute-04.internal (MEProxy); Fri, 28 Nov 2025 07:18:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arndb.de; h=cc
	:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1764332296;
	 x=1764418696; bh=DfJ6BL+lABFSB7pVWGJ4AJLjqN6XuCLqwnfOlfSeLeU=; b=
	O8jNzxpPXQMgekeDBt2GcsvJIccf0W3vYHUmFGumAs9KG3tQpcD2L3OfqPKtylsE
	yEJ6tcmIA9MspzJVjN1kMhQJihvcV53lAYoFW7fVyj/BotsFq+03QQY4jOziwmTy
	J3/i5KynAVpqMqiZh4zyTyMCa75U2SLr9YeyS8VN4Hx1jrQDLrnTtZR0hfPkWX6a
	yABLXwrbfIbRPfS9ulo5RRaJiOg8CHqL/O7mVSd4L4L727SlmqFeNM/y55L4tcN/
	BScepImhuwvvmvzxamFUNaKRM2jgj4q29Qmmr+7/9dVAZqB7AZUOEwpoZVkv55nN
	XP6ns/gPhSKyVxhrpfzl3Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1764332296; x=
	1764418696; bh=DfJ6BL+lABFSB7pVWGJ4AJLjqN6XuCLqwnfOlfSeLeU=; b=Z
	iEN++5CD91NlacOotNoNLdj8CkbvLqVGdrTj3K09LmLr1E1W80eOKIrJnK1SGpS4
	9CcOL1sqUkcCHAAhc2Aaj6Ux08BKDOrLrKlmKoE75Dc6revUAGDCxXyFbSGhBrL1
	y4pNHnLaQzZjy3XIO29vc5NHHquyRm2SUm1O2UyU1+kZLvW3AK3bVPysoL17BpwA
	cY9YS8GBgYKEcqVylCSZ10J0yM2h94fk9/ziuNhD0G+6PMW+zJTlOFRPlwjjSGqC
	xi0/Oee78ACurXdD8EguJbYajOgDAv78EIaYfNLMYvCDKMPJ5tsEH3HwFjErG/CS
	i/GZ34DZnmE5fMEoIbKcw==
X-ME-Sender: <xms:B5MpaVwflRt0jSlXZOTGIX9Q5tbMq0i3yg6erp04H9XlRMC4HFTOUg>
    <xme:B5MpaQHWCUVYOV27nfITFEJ3-BBKgjialAh9eQma491qjWoSj2vCCp_wyY0VdZ-Mi
    XhJR5jnv0bJIZBFyBeJqATCnqDSZ41KAxVyL7ZHjSv8_882RjBO6Q>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvgeelkeehucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhepofggfffhvfevkfgjfhfutgfgsehtjeertdertddtnecuhfhrohhmpedftehrnhgu
    uceuvghrghhmrghnnhdfuceorghrnhgusegrrhhnuggsrdguvgeqnecuggftrfgrthhtvg
    hrnhephfdthfdvtdefhedukeetgefggffhjeeggeetfefggfevudegudevledvkefhvdei
    necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprghrnh
    gusegrrhhnuggsrdguvgdpnhgspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhht
    pdhrtghpthhtohepthhirghntghhuhdrtghhvghnsehlihhnuhigrdguvghvpdhrtghpth
    htohepghhrvghgkhhhsehlihhnuhigfhhouhhnuggrthhiohhnrdhorhhgpdhrtghpthht
    oheplhhinhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhg
X-ME-Proxy: <xmx:B5MpadMIewrXKDQHOR4i4LN0tZ1iMQX_yYJspPyfJ49_tWBtPHdvVA>
    <xmx:B5MpaXvXngWhKeF3bW7AgKDvprhhuI1y0t99cP3mjLRCyTQ4FKVQ9w>
    <xmx:B5MpafW8_9O7dKwTh-61S4RmIj0-1_pyLMP2CGQm07zra4rg5J-2Pw>
    <xmx:B5MpaXsTFbrSKa0IM2BLsRWV45rWIQ_fHUAWdzNoDNci_WclIxMZQg>
    <xmx:CJMpabUnlSAi-BDO0kexfbeglcXQB9walDFPrnZ8661KdeVC5c1ZowZb>
Feedback-ID: i56a14606:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id 80975C40054; Fri, 28 Nov 2025 07:18:15 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-ThreadId: AF1pTUVR_V0B
Date: Fri, 28 Nov 2025 13:17:55 +0100
From: "Arnd Bergmann" <arnd@arndb.de>
To: "Tianchu Chen" <tianchu.chen@linux.dev>,
 "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org
Message-Id: <5c4965c8-dcec-4faf-bd87-19ca7665fedc@app.fastmail.com>
In-Reply-To: <20251128155323.a786fde92ebb926cbe96fcb1@linux.dev>
References: <20251128155323.a786fde92ebb926cbe96fcb1@linux.dev>
Subject: Re: [PATCH] char: applicom: fix NULL pointer dereference in ac_ioctl
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Fri, Nov 28, 2025, at 08:53, Tianchu Chen wrote:
> From: Tianchu Chen <flynnnchen@tencent.com>
>
> Discovered by Atuin - Automated Vulnerability Discovery Engine.
>
> In ac_ioctl, the validation of IndexCard and the check for a valid
> RamIO pointer are skipped when cmd is 6. However, the function
> unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
> end.
>
> If cmd is 6, IndexCard may reference a board that does not exist
> (where RamIO is NULL), leading to a NULL pointer dereference.
>
> Fix this by skipping the readb access when cmd is 6, as this
> command is a global information query and does not target a specific
> board context.
>
> Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>

Acked-by: Arnd Bergmann <arnd@arndb.de>

> @@ -835,7 +835,10 @@ static long ac_ioctl(struct file *file, unsigned 
> int cmd, unsigned long arg)
>  		ret = -ENOTTY;
>  		break;
>  	}
> -	Dummy = readb(apbs[IndexCard].RamIO + VERS);
> +
> +	if (cmd != 6)
> +		Dummy = readb(apbs[IndexCard].RamIO + VERS);
> +
>  	kfree(adgl);

This is clearly a correct change, and your description explains
the issue well.

I see the driver was originally merged 26 years ago in 2.3.17
but hasn't changed much. The bug was in the original version,
and probably in the earlier SCO Unix driver before it. The
driver is clearly unmaintained and goes against all principles
of modern kernel drivers.

Unlike the mwave driver I suggested removing earlier, I think
this one may theoretically still have users, at least I see
nothing that stops it from working, and one can still buy
the hardware. On the other hand, there was never really an
attempt to add support for newer hardware models including
PCIe parts, so presumably any users would have other drivers.

     Arnd