Linux Kernel USB Type-C Bus NULL Pointer Dereference Vulnerability in Alt Mode Attention Handling

A vulnerability in the Linux kernel's USB Type-C bus implementation can lead to a NULL pointer dereference. This issue arises in the handling of DisplayPort Alt mode negotiations. When a USB hub negotiates a data role swap after entering Alt mode, the connected device unregisters all Alt modes. However, the hub continues to send Attention messages, creating a mismatch. The current implementation of the typec_altmode_attention function does not verify the existence of a device's Alt mode partner, leading to a NULL pointer error when the partner's Alt mode data is accessed. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, which can lead to a system crash.

Reproduction

The vulnerability can be reproduced by connecting a device to a USB hub that negotiates DisplayPort Alt mode. After the device enters Alt mode, the hub should initiate a data role swap, causing the device to unregister all Alt modes. Despite the unregistration, the hub will continue to send Attention messages. This sequence creates the conditions for the NULL pointer dereference when the typec_altmode_attention function is called without a valid partner reference.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.