Linux Kernel Null Pointer Dereference Vulnerability in af9005 I2C Transfer

A null pointer dereference vulnerability has been identified in the Linux kernel's handling of I2C messages in the af9005 USB DVB driver. This issue arises because the 'msg' parameter is user-controlled. When 'msg[i].buf' is null and 'msg[i].len' is zero, the existing checks on 'msg[i].buf' are bypassed, allowing malicious data to reach the 'af9005_i2c_xfer' function. If 'msg[i].buf[0]' is accessed without proper validation, it leads to a null pointer dereference. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a null pointer dereference, which can lead to a crash of the affected application or service.

Reproduction

To reproduce this vulnerability, send an I2C message where 'msg[i].buf' is null and 'msg[i].len' is zero. The absence of a proper validation check will allow the message to be processed, ultimately leading to a null pointer dereference when the buffer is accessed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.