Linux Kernel USB Gadget RNDIS Function NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's USB gadget RNDIS function can lead to a NULL pointer dereference. After a bind/unbind cycle, the notification request is left in a stale state. If a subsequent bind operation fails, the error handling attempts to free this stale request, causing a NULL pointer dereference when accessing the endpoint's request free operation. This issue arises in the error handling of the bind process, which fails to properly manage the cleanup of request pointers, particularly when an error occurs after a bind operation has been successfully completed.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the affected component or system.

Reproduction

The vulnerability can be reproduced by cycling through a bind and unbind process in the USB gadget RNDIS function. After the unbind, if the next bind attempt fails, the error handling will try to free a request that is no longer valid, causing a NULL pointer dereference. This can be automated with a script that binds the function, unbinds it, and then attempts to bind it again, intentionally causing a failure.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.