Linux Kernel NULL Pointer Dereference Vulnerability in Framebuffer Unregistration

A vulnerability in the Linux kernel's framebuffer device (fbdev) subsystem can lead to a NULL pointer dereference. This issue occurs when framebuffers without an associated device in the Linux device hierarchy are unregistered. Instead of performing a standard unregistration, the kernel attempts to hot-unplug a non-existent device, resulting in a NULL dereference. The vulnerability was introduced in version 5.17.0 by a commit that changed the unregistration process for firmware framebuffers. The issue has been observed on ppc64le architecture.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash.

Reproduction

The vulnerability can be reproduced by removing a framebuffer device that does not have an underlying platform device, which is typical for certain firmware framebuffers. This can be done by forcing the removal of the framebuffer, which triggers the hot-unplug process, causing the NULL pointer dereference.

Remediation

Users can upgrade to a patched version of the Linux kernel where this vulnerability has been addressed.