char: applicom: fix NULL pointer dereference in ac_ioctl

Discovered by Atuin - Automated Vulnerability Discovery Engine.

In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.

If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.

Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.

Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/char/applicom.c b/drivers/char/applicom.c
index 9fed9706d9cd26a411175aba24af0be2a8ef7492..c138c468f3a441e9aa7494fa56f83f444de50f48 100644 (file)
--- a/drivers/char/applicom.c
+++ b/drivers/char/applicom.c
@@ -835,7 +835,10 @@ static long ac_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                ret = -ENOTTY;
                break;
        }
-       Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
+       if (cmd != 6)
+               Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
        kfree(adgl);
        mutex_unlock(&ac_mutex);
        return ret;