Linux Kernel NULL Pointer Dereference Vulnerability in USB Gadget Function NCM

A vulnerability in the Linux kernel's USB gadget function for Network Control Model (NCM) has been addressed. The issue arose after a bind/unbind cycle, leaving the notification request stale. If a subsequent bind failed, the error handling attempted to free the stale request, causing a NULL pointer dereference when accessing the endpoint's operations for freeing requests. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a kernel crash.

Reproduction

The vulnerability can be reproduced by cycling through the bind and unbind process of the NCM function in the USB gadget framework. After an unbind, if the next bind attempt fails, the error handling will try to free a request that was not properly cleared, leading to a NULL pointer dereference.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree by refactoring the bind process to use an automatic cleanup mechanism that properly handles request deallocation.