Linux Kernel Virtio DRM Component NULL Dereference Vulnerability

A vulnerability in the Linux kernel's handling of 2D buffer objects (BO) in the virtio graphics driver can lead to a NULL pointer dereference. This issue arises because transferred 2D BOs are required to be shared memory (shmem) BOs. The vulnerability occurs when userspace mistakenly sends a video RAM (VRAM) BO instead. The flaw has been addressed by adding a check to ensure that only shmem BOs are transferred, preventing the NULL dereference.

Impact

Exploitation of this vulnerability can cause a NULL pointer dereference, leading to a crash of the affected component or system.

Reproduction

The vulnerability can be reproduced by transferring a 2D buffer object that is not a shared memory buffer (shmem) to the host in a virtio graphics command. This can be done by sending a video RAM buffer object instead, which will trigger the NULL pointer dereference when the command is processed.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is available in the Linux kernel stable tree.