Linux Kernel Memory Control NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's memory control subsystem can lead to a NULL pointer dereference. This issue arises when a memory control group (memcg) is retrieved by its ID during the eviction recency check. If a new memcg with the same ID is acquired before it is properly linked to the memcg hierarchy, it can cause a NULL pointer exception while traversing the hierarchy. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash.

Reproduction

The vulnerability can be reproduced by retrieving a memcg ID that has been recently allocated but not yet attached to the memcg hierarchy. This can occur during the eviction recency check, where the shadow entry may contain an ID of a memcg that has been killed, but a new memcg with the same ID is allocated before it is linked to the hierarchy. When the system attempts to access the memcg's swap pages, it encounters a NULL pointer dereference, causing a kernel crash.

Remediation

The vulnerability has been addressed by modifying the memcg ID publication process. The ID is now published only after the memcg is fully online and connected to the memcg tree, preventing the retrieval of a NULL pointer during hierarchy traversal.