Linux Kernel RAID0 NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's RAID0 implementation can lead to a NULL pointer dereference, causing a kernel panic. This issue arises during the reshape process of a RAID array. Normally, when a RAID device is stopped, the private data associated with the device is cleared, and the memory is freed. However, during a reshape operation, the new private data is set before the old data is freed, leading to a situation where the RAID0 implementation incorrectly clears the private data. As a result, the new RAID operation attempts to use a NULL pointer, causing a crash. The vulnerability has been observed in Linux kernel version 5.14.0-86.el9.x86_64.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, create a RAID0 array using the Linux software RAID (md) subsystem. Initiate a reshape operation on the array, which involves changing the layout or size of the RAID0 configuration. During the reshape process, the kernel incorrectly handles the private data of the RAID0 device, leading to a NULL pointer dereference when the RAID operation attempts to access the cleared private data. This can be observed by monitoring the system logs for a kernel panic message indicating a NULL pointer dereference in the RAID10 driver, which is related to the RAID0 implementation.

Remediation

The vulnerability can be addressed by modifying the RAID0 implementation to prevent the premature clearing of the private data. This involves removing the code that sets the private data to NULL before the old data is properly freed, ensuring that the reshape operation does not introduce a NULL pointer dereference.