Linux Kernel NULL Pointer Dereference Vulnerability in USB Ethernet Gadget

A NULL pointer dereference vulnerability has been identified in the Linux kernel's USB Ethernet gadget function, specifically in the ECM (Ethernet Control Model) implementation. This issue arises after a bind/unbind cycle, where the notification request pointer is left in a stale state. If a subsequent bind operation fails, the error handling attempts to free this stale request, leading to a NULL pointer dereference when accessing the endpoint's request free operation. The vulnerability has been addressed by refactoring the error handling in the bind process to utilize the automatic cleanup mechanism, ensuring that stale pointers are properly managed and do not lead to memory access errors.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the affected component or system.

Reproduction

The vulnerability can be reproduced by cycling through bind and unbind operations on the USB Ethernet gadget function. After the first bind, the notification request pointer becomes stale. If the next bind operation fails, the error handling tries to free the stale request, causing a NULL pointer dereference when it attempts to access the request free operation of the endpoint.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.