Linux Kernel NULL Pointer Dereference Vulnerability in TEE Subsystem

A vulnerability in the Linux kernel's TEE (Trusted Execution Environment) subsystem has been identified, specifically in the 'tee_shm_register_user_buf()' function. This issue arises from 'register_shm_helper()''s' improper handling of user-supplied memory lengths, leading to an integer overflow. The overflow allows 'internal_get_user_pages_fast()', a helper for 'pin_user_pages_fast()', to dereference a NULL pointer, causing a kernel crash. The vulnerability has been addressed by adding a check for valid user space addresses before processing the memory region.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference in the kernel, causing a crash.

Reproduction

The vulnerability can be reproduced by invoking the 'tee_ioctl' function with specially crafted user space memory lengths that cause an integer overflow in 'register_shm_helper()'. This overflow allows 'internal_get_user_pages_fast()' to dereference a NULL pointer, resulting in a kernel crash.