Linux Kernel io_uring NULL Pointer Dereference Vulnerability in Message Ring Handling

A NULL pointer dereference vulnerability has been identified in the Linux kernel's io_uring message ring implementation. This issue arises in the 'io_msg_send_fd()' function, where a lack of proper NULL checks on file pointers allows for the dereferencing of NULL values. The vulnerability was reported by Syzkaller, which produced a call trace indicating a kernel panic due to the NULL dereference. The issue has been fixed by adding the necessary NULL checks before dereferencing the file pointers.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by using the io_uring interface to send messages that include fixed file descriptors. The absence of a NULL check in the 'io_msg_send_fd()' function allows the 'file_ptr' to be NULL, which is then dereferenced, causing a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is available in the Linux kernel stable tree.