Linux Kernel Cros-EC Tunnel NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's I2C Cros-EC tunnel module can lead to a NULL pointer dereference. This issue occurs when the Cros-EC tunnel and the EC driver are built-in, causing the EC parent device to be unavailable. The vulnerability can also be reproduced by unbinding the controller driver and then loading the Cros-EC tunnel module, or by binding the device after unbinding the controller.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the affected system.

Reproduction

To reproduce this vulnerability, first ensure that both the I2C Cros-EC tunnel and the EC driver are built-in. This will result in the EC parent device not being found, which triggers the NULL pointer dereference. Alternatively, the vulnerability can be reproduced by unbinding the controller driver, loading the I2C Cros-EC tunnel module, and then binding the device, which also leads to the NULL pointer dereference.