Linux Kernel USB Gadget UVC NULL Pointer Dereference Vulnerability

A race condition leading to a NULL pointer dereference has been identified in the USB gadget UVC (USB Video Class) function of the Linux kernel. This vulnerability arises during the unbinding process of a UVC function, particularly in the context of power management transitions. When the power management subsystem freezes user space processes, a synchronization mechanism intended to prevent kernel panics is disrupted. As a result, the unbind process can nullify a critical pointer, causing a kernel panic when subsequently accessed. This issue affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by binding a UVC function to a USB gadget, then initiating a power management suspend process that freezes user space processes. While the system is suspended, the UVC function unbind process can be triggered, which will nullify the gadget pointer. Once the system resumes and user space processes are restarted, a kernel panic occurs when the V4L2 release path attempts to access the nullified pointer.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest version can be found on the official Linux kernel website.