Linux Kernel DLM Invalid Dereference Vulnerability Leading to Denial-of-Service

A vulnerability in the Linux kernel's Distributed Lock Manager (DLM) can cause a denial-of-service condition by invalidly dereferencing a pointer. This issue arises when a lock's state block pointer (sb_lvbptr) is left dangling, while not using the value block flag, leading to a crash. The kernel message indicates a page fault for the address corresponding to the dangling pointer, which is an example of a typical memory access error. The vulnerability is present in Linux kernel versions through 5.19.0-rc3.

Impact

Exploitation of this vulnerability causes a kernel crash due to a page fault error, where the system is unable to access a memory address that is expected to be valid.

Reproduction

The vulnerability can be reproduced by creating a lock with a dangling sb_lvbptr while not using the DLM_LKF_VALBLK flag. This can be done by initializing a lock and then manipulating the pointer to point to an invalid memory address, such as 0xdeadbeef, before the lock is released. When the lock is subsequently unlocked, the kernel will attempt to access the invalid pointer, leading to a crash.

Remediation

Users can avoid this vulnerability by ensuring that the sb_lvbptr field is not left dangling and by using the DLM_LKF_VALBLK flag when appropriate.