Linux Kernel GSP Message Queue Read Pointer Advancement Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's handling of GSP event messages has been identified. When processing two-page GSP messages, the kernel incorrectly advances the read pointer by only considering the size of the RPC header and message body. This miscalculation causes the message body of the previous message to be treated as the header of the next, leading to a 'message length' of zero. As a result, the kernel attempts to read an invalid memory address, causing a NULL pointer dereference and a kernel panic. This issue has been observed in the nvkm component of the Linux kernel.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a kernel panic. The error message indicates a supervisor read access violation in kernel mode, attempting to access a not-present page, which can disrupt system operations and cause a denial of service.