Linux Kernel Remoteproc NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's remoteproc component can lead to a NULL pointer dereference, causing a kernel crash. This issue occurs on i.MX8MP and i.MX9 platforms. The vulnerability arises when a remote processor is stopped, and a new firmware without a resource table is loaded. Upon starting the remote processor, the absence of a resource table leads to a memory copy operation that dereferences a NULL pointer, triggering a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the affected system.

Reproduction

The vulnerability can be reproduced by using U-Boot to start a remote processor with a resource table published to a fixed address. After the kernel boots, the remote processor is stopped, and a new firmware that does not include a resource table is loaded. When the remote processor is started again, the missing resource table causes a NULL pointer dereference, as the process attempts to copy a non-existent resource table, which has been cleared during the shutdown process.

Remediation

To address this vulnerability, the remote processor's resource table size should be cleared before shutting it down.