Linux Kernel Null Pointer Dereference Vulnerability in Unix Stream Sendpage Function

A null pointer dereference vulnerability has been identified in the Linux kernel's Unix stream sendpage function, specifically in versions prior to 6.5. This vulnerability arises because the function attempts to add data to the last socket buffer in the peer's receive queue without properly locking the queue. If the peer's file descriptor is passed to another socket, creating a loop between them, and both sockets are closed without receiving the file descriptor, a race condition can occur. The garbage collection process unlinks the socket buffer with the file descriptor from the receive queue under the queue's lock, creating a scenario where the sendpage function could access a socket buffer that is being released, leading to a use-after-free condition. The vulnerability has been patched by modifying the sendpage function to lock the peer's receive queue before accessing it.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating two sockets that pass file descriptors to each other, forming a loop. Close both sockets without transferring the file descriptor back, allowing the garbage collector to unlink the socket buffer from the receive queue. This unlinks the socket buffer under the queue's lock, creating a race condition. The unix_stream_sendpage function can then be called, accessing a socket buffer that has been released, resulting in a null pointer dereference.

Remediation

Users can upgrade to Linux kernel version 6.5 or later, where this vulnerability has been addressed.