Linux Kernel VMBus ACPI Root Handle Dereference Null Pointer Vulnerability

A vulnerability in the Linux kernel's VMBus client driver can lead to a NULL pointer dereference, causing a system crash during boot. This issue occurs in VMBus host implementations, like QEMU, that do not provide Hyper-V memory-mapped I/O (MMIO) ranges. The vulnerability arises because the driver walks the ACPI namespace to find MMIO ranges, and if it fails, it inadvertently dereferences a pointer from the ACPI root object, which lacks a valid handle. The problem has been fixed by terminating the lookup at the root object.

Impact

Exploitation of this vulnerability causes a system crash (oops) during boot, disrupting the startup process.

Reproduction

To reproduce this vulnerability, boot a Linux guest under KVM/QEMU with the VMBus host implementation that does not provide Hyper-V MMIO ranges. This can be done by using a QEMU VMBus implementation, which is known to lack these ranges. The absence of MMIO ranges will trigger the VMBus client driver to dereference a NULL pointer, leading to a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.