Linux Kernel NULL Pointer Dereference Vulnerability in USB Gadget Ethernet Function

A NULL pointer dereference vulnerability has been identified in the Linux kernel's USB gadget Ethernet function, specifically in the u_ether.c file. This issue arises in versions of the Linux kernel prior to the latest stable release. The vulnerability is triggered when the net_device lifecycle is improperly managed during device unbinding, particularly with the USB Communication Device Class (CDC) Network Control Model) gadget. When the gadget device is detached, the pointer to the gadget is cleared, creating a window where a userspace tool can query the interface and cause a NULL pointer dereference. This flaw has been addressed by adding a NULL check for the gadget pointer in the eth_get_drvinfo function, ensuring that the firmware version and bus information are not copied when the device is detached.

Impact

Exploitation of this vulnerability leads to a kernel panic due to an unhandled NULL pointer dereference, causing a denial of service.

Reproduction

To reproduce this vulnerability, bind a USB gadget that uses the Ethernet function, such as the CDC NCM gadget. During the unbinding process, the gadget pointer is cleared, but the interface may still appear active. If a userspace tool, like ethtool, queries the interface at this moment, it will trigger a NULL pointer dereference in the kernel, causing a crash. This can be automated with a script that unbinds the gadget and immediately queries the interface.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the documentation for the specific Linux distribution in use.