Linux Kernel VUB300 Driver NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's VUB300 USB-to-SD/SDIO/MMC driver can lead to NULL pointer dereferences or use-after-free errors. This issue occurs because the driver does not properly deregister the controller before releasing the driver data reference during the disconnection process. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause NULL pointer dereferences, leading to use-after-free conditions, which can be exploited to execute arbitrary code or cause a denial-of-service.

Reproduction

To reproduce this vulnerability, connect a VUB300 USB-to-SD/SDIO/MMC device to a system running an affected version of the Linux kernel. The driver will be loaded automatically. Once the device is disconnected, the driver will attempt to remove the host without properly deregistering the controller first. This sequence will trigger the NULL pointer dereference or use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.