Linux Kernel Synthetic Event String Handling Vulnerability

A vulnerability in the Linux kernel's tracing subsystem allows for improper handling of strings in synthetic events, leading to a potential crash. The issue arises because the synthetic event field 'char file[]' reads user-space addresses as strings without verifying the memory's validity. This oversight can cause a crash when the event processing calls string manipulation functions like 'strlen()' and 'strscpy()', which access user-space memory without proper checks. The vulnerability was introduced in a previous commit that added support for dynamic strings in synthetic events.

Impact

Exploitation of this vulnerability can cause a kernel crash, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by creating a synthetic event that reads a user-space address as a string. This can be done by echoing a command into the 'dynamic_events' file that specifies a string field, and then triggering the event, which will result in a crash.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.