Linux Kernel Hugetlb Folio Replacement NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's memory management for huge pages can lead to a NULL pointer dereference, causing a kernel crash. This issue arises when free hugetlb folios are replaced, creating a race condition that allows a NULL pointer to be accessed, which then triggers a system crash. The vulnerability is present in Linux kernel version 6.15.0-rc6-zp.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference.

Reproduction

The vulnerability can be reproduced by replacing free hugetlb folios, which creates a race condition between updating and freeing a hugetlb folio and replacing free hugepage folios. This race condition can be triggered by concurrently executing operations that manipulate hugetlb folios, such as allocating and freeing them, while also replacing free hugetlb folios. The concurrent execution can be managed through a script or program that automates these actions, simulating the race condition that causes the NULL pointer dereference.

Remediation

The vulnerability has been addressed by modifying the hugetlb folio replacement process to ensure it does not access a NULL pointer. Users should update to the latest version of the Linux kernel where this fix has been applied.