Linux Kernel NULL Pointer Dereference Vulnerability in IPComp Scratch Management

A vulnerability in the Linux kernel's IPComp (IP Payload Compression Protocol) scratch management can lead to a NULL pointer dereference. This issue occurs in the xfrm (IPsec transformation) module when the function ipcomp_alloc_scratches() fails to allocate memory. The ipcomp_scratches variable retains an obsolete address, which, when freed using ipcomp_free_scratches(), attempts to vfree a non-existent virtual memory area. This mismanagement triggers a warning about trying to vfree an existing VM area, indicating a potential denial-of-service condition.

Impact

Exploitation of this vulnerability causes a kernel warning about freeing a non-existent virtual memory area, which can lead to a denial-of-service condition by causing unnecessary noise in the system logs and potentially disrupting normal operations.

Reproduction

The vulnerability can be reproduced by invoking the ipcomp_alloc_scratches() function in a scenario where memory allocation fails. This will result in ipcomp_scratches holding an invalid address. Subsequently, calling ipcomp_free_scratches() will attempt to free the percpu scratches, leading to a NULL pointer dereference.

Remediation

The vulnerability has been addressed by updating the ipcomp_scratches variable to NULL when the allocated scratches are freed. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.