Linux Kernel Null Pointer Dereference Vulnerability in Tracing Error Log Handling

A null pointer dereference vulnerability has been identified in the Linux kernel's tracing error log management. The issue arises in the 'tracing_err_log_open' function, which fails to invoke 'seq_open' when the file is opened with only write permissions. This oversight leaves 'file->private_data' uninitialized. Consequently, if 'lseek' is performed on the file, 'seq_lseek' will dereference the null 'private_data', leading to a mutex lock operation that causes a kernel panic. Although this vulnerability requires root privileges to exploit, its security impact is considered minimal.

Impact

Exploitation of this vulnerability causes a kernel panic due to a null pointer dereference, disrupting system operations and potentially leading to a crash.

Reproduction

To reproduce this vulnerability, open the tracefs node '/sys/kernel/tracing/error_log' with write-only permissions. After the file is opened, use the 'lseek' system call, which will trigger the 'seq_lseek' function. This function will attempt to access 'file->private_data', which will be null, causing a kernel panic by dereferencing the null pointer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.