Linux Kernel RTL818x NULL Pointer Dereference Vulnerability in Wireless Driver

A vulnerability in the Linux kernel's RTL818x wireless driver has been identified, which can lead to a NULL pointer dereference. This issue occurs in the RTL8187 wireless driver when the function 'rtl8187_stop()' clears the transmission status queue without first killing the anchored USB requests. As a result, callbacks may attempt to access already-freed socket buffers, causing a kernel NULL pointer dereference. This vulnerability was discovered by the Linux Verification Center using static analysis.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the kernel and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by using a device with an RTL8187BvE wireless chipset. When the 'rtl8187_stop()' function is called, the vulnerability triggers because the function clears the transmission status queue before terminating the anchored USB requests. This sequence allows the transmission status queue to access socket buffers that have already been freed, causing a NULL pointer dereference in the kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The patch is included in the official Linux kernel repositories.