Linux Kernel USB Gadget NULL Pointer Dereference Vulnerability in f_tcm Function

A vulnerability in the USB Target driver of the Linux kernel can lead to a NULL pointer dereference, causing a kernel panic and local denial-of-service. This issue arises because the 'tpg->tpg_nexus' pointer, which is managed dynamically and linked to userspace configuration via ConfigFS, can be NULL. If a USB host sends requests before the nexus is fully established or right after it is dropped, it creates a race condition. Functions like 'bot_submit_command()' and the data transfer paths fetch 'tv_nexus = tpg->tpg_nexus' and immediately dereference 'tv_nexus->tvn_se_sess' without validation. A malicious or misconfigured USB host can exploit this by sending a Bulk-Only Transport command during the race window, leading to a NULL pointer dereference and a kernel panic. This vulnerability highlights inconsistent API usage within the module, as similar functions properly check for NULL before proceeding.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a local denial-of-service condition.

Reproduction

The vulnerability can be reproduced by configuring a USB gadget function that uses the 'f_tcm' driver. Once the function is set up, a USB host can be simulated to send Bulk-Only Transport commands before the 'tpg_nexus' is fully established or immediately after it is dropped. This can be done by manipulating the timing of the USB commands in relation to the nexus state, creating a race condition that triggers the NULL pointer dereference.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation or through the package manager for the specific Linux distribution in use.