Linux Kernel UVC Gadget NULL Pointer Dereference Vulnerability in Frame-Based Format Handling

A NULL pointer dereference vulnerability has been identified in the Linux kernel's USB Video Class (UVC) gadget functionality. This issue arises in the frame-based format handling, specifically when the color matching descriptor is not properly initialized. The vulnerability was introduced in a previous commit that allowed the creation of new color matching descriptors for uncompressed and MJPEG formats. When userspace configuration via configfs does not explicitly define the color matching descriptor, the absence of this information leads to a crash. The problem occurs because the code attempts to dereference a NULL pointer, causing a kernel panic.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, causing a denial of service condition.

Reproduction

The vulnerability can be reproduced by creating a UVC gadget configuration that includes frame-based formats but omits the color matching descriptor. This can be done through configfs by adding a frame-based format without specifying the color matching details. The missing descriptor will trigger the NULL pointer dereference when the configuration is processed, leading to a crash.

Remediation

The vulnerability has been addressed by initializing the color matching descriptor for frame-based formats, ensuring it is properly defined before being used. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.