Linux Kernel NULL Pointer Dereference Vulnerability in IPU3 Image Processing Unit Driver

A NULL pointer dereference vulnerability has been identified in the Linux kernel's IPU3 Image Processing Unit driver, specifically within the 'imgu_subdev_set_selection()' function. This issue arises when the function is called with a NULL subdevice state, leading to a crash. The vulnerability exists in several Linux kernel versions, including 5.14 and later. The problem occurs because 'imgu_subdev_set_selection()' first retrieves pointers to the 'try' and 'active' states before deciding which one to use. If the state is NULL, it causes a dereference error. Although a similar issue in 'imgu_subdev_get_selection()' has been addressed, the problem in 'imgu_subdev_set_selection()' persists, creating a potential denial-of-service scenario.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a crash and denial-of-service condition on the affected system.

Reproduction

To reproduce this vulnerability, call the 'imgu_subdev_set_selection()' function with a NULL subdevice state. This can be done by passing a NULL value for the 'sd_state' parameter, which will trigger the NULL pointer dereference when the function attempts to access the 'try' and 'active' state pointers.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The official Linux kernel Git repository can be used to download the patched version.