CVE-2025-40032

Vulnerability

Description

The Linux kernel's PCI endpoint function test driver (pci-epf-test) contains a NULL pointer dereference vulnerability in the pci_epf_test_clean_dma_chan() function. The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after EPF initialization, but the code did not check for NULL before releasing the DMA channels via dma_release_channel(). This oversight leads to a kernel panic when a NULL pointer is dereferenced.

Exploitation

The vulnerability is triggered during EPF deinitialization (pci_epf_test_epc_deinit), which is called when a PCI reset event occurs (e.g., via tegra_pcie_ep_pex_rst_irq). An attacker with local access or the ability to force a PCI reset on a system using this driver could trigger the panic. No authentication is required if the attacker can influence the reset signal, but the attack surface is limited to systems with the pci-epf-test driver loaded and configured.

Impact

A successful exploit results in a kernel NULL pointer dereference and subsequent kernel panic, causing a denial of service (system crash). The stack trace in the report shows the crash path: dma_release_channel called with a NULL pointer leads to the panic. The vulnerability does not allow privilege escalation or data corruption beyond the crash.

Mitigation

The fix was applied in the Linux kernel stable tree, adding NULL checks before calling dma_release_channel() in pci_epf_test_clean_dma_chan(). The commits are identified as [1] and [2] in the official kernel repository. Users should update to kernel versions containing these commits to mitigate the issue. No workaround is available if the driver is in use.