Linux Kernel Overlay Subsystem NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's overlay subsystem can lead to a NULL pointer dereference. This issue occurs when the function 'of_overlay_fdt_apply()' fails, leaving the changeset only partially applied. The caller must manually invoke 'of_overlay_remove()' to address this partial state. However, 'of_overlay_apply()' processes resolution handles before initializing the overlay changeset. If an overlay application fails due to an unresolved symbol, the changeset entries remain uninitialized, causing a crash during cleanup. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can be exploited to cause a NULL pointer dereference, leading to a crash.

Reproduction

To reproduce this vulnerability, apply an overlay that contains an unresolved symbol, which will cause the 'of_overlay_fdt_apply()' function to fail. This failure leaves the overlay changeset in a partially applied state. When 'of_overlay_remove()' is called to clean up, the process will attempt to access the uninitialized changeset entries, resulting in a NULL pointer dereference and a crash.

Remediation

The vulnerability has been addressed by modifying the overlay application process to ensure proper initialization of the changeset before resolving handles. Users should update to the latest version of the Linux kernel stable tree where this fix has been applied.