Linux Kernel NULL Pointer Dereference Vulnerability in MT7925 Wi-Fi Driver

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Wi-Fi MT76 MT7925 driver. This issue can lead to a kernel panic when the driver is used in Access Point (AP) mode. The vulnerability arises in the 'mt7925_sta_set_decap_offload' function, which is called before a station is fully initialized, causing a page fault by accessing a NULL virtual interface pointer. The problem has been addressed by adding a NULL check for the virtual interface pointer and ensuring that the station's state is ready before proceeding with certain configurations.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, deploy a Raspberry Pi 4 Model B running a version of the Linux kernel that includes the vulnerable MT7925 Wi-Fi driver in Access Point mode. The vulnerability will manifest as a kernel panic when the 'mt7925_sta_set_decap_offload' function attempts to access the station's virtual interface before it is fully initialized.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Raspberry Pi documentation.