Linux Kernel NULL Pointer Dereference Vulnerability in DRM GEM Shmem

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Direct Rendering Manager (DRM) GEM (Graphics Execution Manager) shmem (shared memory) implementation. This vulnerability arises because the dma_buf field in the drm_gem_object structure is not stable throughout the object's lifetime. When user space releases the final GEM handle on a buffer object, the dma_buf field becomes NULL, leading to a NULL-pointer dereference. Although workarounds were introduced in previous commits to address this issue, they only provided a partial solution and do not work for buffer objects without an associated DRM framebuffer. As a result, the vulnerability remains exploitable under certain conditions.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a crash or denial-of-service condition on the affected system.

Reproduction

The vulnerability can be reproduced by creating a GEM buffer object and then releasing the final handle in user space. This action will nullify the dma_buf reference in the associated drm_gem_object, setting the stage for a NULL pointer dereference when the object is accessed again. The issue particularly arises with buffer objects that are not linked to a DRM framebuffer, as the applied workarounds fail in these cases.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.