Linux Kernel AZ6007 I2C Transfer Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's handling of I2C transfers for the AZ6007 device. This issue arises in the 'az6007_i2c_xfer' function, where user-controlled messages can be manipulated. Specifically, if a message's buffer is null and its length is zero, the existing checks would be bypassed, allowing malicious data to reach the function. If 'az6007_i2c_xfer' then accesses the buffer without proper validation, a null pointer dereference occurs, leading to a crash. The vulnerability has been addressed by adding a check on the message length to prevent such crashes.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a crash.

Reproduction

The vulnerability can be reproduced by sending an I2C message with a null buffer and a length of zero to the 'az6007_i2c_xfer' function. The function will process the message without proper validation, allowing a null pointer dereference when it attempts to access the buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux Kernel Archive.