Linux Kernel PCI/AER NULL Pointer Dereference Vulnerability in aer_ratelimit()

A NULL pointer dereference vulnerability has been identified in the Linux kernel's PCI/AER error handling. When platform firmware communicates error information to the operating system via the ACPI APEI GHES mechanism, it may point to a device that does not support AER Capability. In such cases, the device's aer_info, which holds AER statistics and ratelimiting data, is NULL. While the function pci_dev_aer_stats_incr() includes a check for a NULL aer_info, the aer_ratelimit() function does not. This oversight can lead to NULL pointer dereferences, as demonstrated by a reported hardware error from an Intel Sky Lake-E device that claimed to be a Root Port but lacked AER Capability. The vulnerability has been addressed by adding a NULL check in aer_ratelimit(), preventing the dereference and ensuring proper ratelimiting of AER events from GHES.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a system crash. The dereference occurs in the aer_ratelimit() function, which is part of the PCI AER error handling mechanism.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.