Linux Kernel Cpufreq Intel Pstate NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Intel P-state driver, specifically within the cpufreq subsystem. This issue arises in versions of the kernel through 6.18, on systems booted with the 'nosmt' parameter. In this scenario, the 'cpudata' for certain CPU threads is NULL, leading to a dereference error when the 'update_cpu_qos_request()' function tries to access the 'turbo_freq' variable. The vulnerability occurs because the function does not validate the 'policy' before dereferencing 'cpudata', allowing the NULL pointer dereference to happen.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the affected process or system.

Reproduction

To reproduce this vulnerability, boot a system with the 'nosmt' parameter, which disables simultaneous multithreading. Then, invoke the 'update_cpu_qos_request()' function in the Intel P-state cpufreq driver. The function will attempt to access the 'turbo_freq' variable through a NULL 'cpudata' pointer, causing a NULL pointer dereference.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.