Linux Kernel Integer Underflow Vulnerability in mt7601u Wireless Driver Leading to Null Pointer Dereference

A vulnerability has been identified in the Linux kernel's mt7601u wireless driver, where an integer underflow can be exploited to cause a null pointer dereference. This issue arises because the 'dma_len' variable in the URB packet can be manipulated, triggering an underflow in the 'seg_len' variable within the 'mt7601u_rx_process_seg()' function. The resulting underflow allows the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be bypassed, leading to the dereference of a null pointer. The vulnerability was discovered using a modified version of syzkaller, which revealed the null pointer dereference issue through the Kernel Address Sanitizer (KASAN).

Impact

Exploitation of this vulnerability causes a null pointer dereference, which can lead to a system crash or instability.

Reproduction

The vulnerability can be reproduced by manipulating the 'dma_len' variable in the URB packet, causing an integer underflow that bypasses frame validation checks and results in a null pointer dereference. This can be automated with a modified version of syzkaller.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.