Linux Kernel CIFS Module NULL Pointer Dereference Vulnerability via DFS Traversal

A NULL pointer dereference vulnerability has been identified in the CIFS (Common Internet File System) module of the Linux kernel. This issue arises when the kernel is compiled with the CONFIG_CIFS_DFS_UPCALL option disabled. In this scenario, the 'cifs_dfs_d_automount' function returns NULL, but the CIFS module still processes DFS referral attributes as if the upcall feature were enabled. This discrepancy leads to a NULL pointer dereference in the VFS (Virtual File System) follow_automount() function when navigating through a DFS referral link, causing a kernel crash.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

To reproduce this vulnerability, compile the Linux kernel with the CONFIG_CIFS_DFS_UPCALL option disabled. When the CIFS module is loaded, it will incorrectly handle DFS referral attributes, leading to a NULL pointer dereference when the VFS follows an automount link. This can be triggered by accessing a DFS referral that the CIFS module is supposed to handle, which will result in a kernel crash.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the CIFS module to include a proper handler for DFS automounts when the upcall option is disabled. Users should upgrade to a patched version of the Linux kernel that includes this fix.