Linux Kernel VSP1 Driver Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's VSP1 driver, specifically in versions prior to 6.2.0. This issue arises because the driver incorrectly uses the 'vb2_is_streaming()' function to determine if the 'start_streaming()' operation has been called. A recent commit changed when the 'streaming' field is updated, leading the VSP1 driver to mistakenly believe that streaming had started, when it had not. This flaw causes a crash by attempting to access a null pointer.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a null pointer dereference, causing a denial of service condition.

Reproduction

The vulnerability can be reproduced by using the VSP1 driver with the Video4Linux2 (V4L2) interface. When the 'vb2_is_streaming()' function is called, it will incorrectly indicate that streaming has started, based on the new behavior introduced by the commit 'media: vb2: add (un)prepare_streaming queue ops'. This misrepresentation will cause the driver to process buffers incorrectly, triggering a hardware operation that should not occur, and ultimately leading to a crash.

Remediation

Users can upgrade to Linux kernel version 6.2.0 or later, where this vulnerability has been fixed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.