Linux Kernel Intel-ISH HID Warm Reset Kernel Panic Vulnerability

A vulnerability in the Linux kernel's handling of Intel-ISH HID during warm resets can lead to a kernel panic. This issue occurs in versions 5.16 and later, where the cros_ec_ishtp device and driver are registered after the ISH firmware has sent a warm reset notification, nullifying the device's firmware client. The subsequent attempt to match the driver to the device results in a panic due to dereferencing a null pointer. This vulnerability was introduced by a change that restricted bus driver loading to only matching devices, exposing a timing issue that did not exist in earlier kernel versions.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a system crash.

Reproduction

To reproduce this vulnerability, load an ISHTP bus driver for a device after the ISH firmware has sent a warm reset notification, which clears the device's firmware client. This can be done by registering the driver and device in the incorrect order, specifically after the firmware client has been set to null, causing the driver to reference a null pointer when attempting to match with the device.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.