Linux Kernel PowerPC NULL Pointer Dereference Vulnerability in PT_REGS Handling

A vulnerability in the Linux kernel's PowerPC architecture has been identified, where tasks marked as PF_KTHREAD and PF_IO_WORKER are assigned a NULL pt_regs. This situation is uncommon in other architectures. The vulnerability arises when such tasks generate a core dump, leading to a kernel crash due to a NULL pointer dereference. The issue occurs because the ppr_get function attempts to copy data from a task with a NULL pt_regs, causing a kernel access violation. The vulnerability has been addressed by modifying the ppr_get and ppr_set functions to check for a valid pt_regs and return an error if not set.

Impact

Exploitation of this vulnerability leads to a kernel crash caused by a NULL pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by creating a task in the PowerPC architecture that is assigned the PF_KTHREAD and PF_IO_WORKER flags, while having a NULL pt_regs. This can be done in a controlled environment, such as QEMU emulating an IBM pSeries POWER9 system. Once the task is set up, performing an action that triggers a core dump will result in a kernel crash, demonstrating the vulnerability.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.