Linux Kernel NULL Pointer Dereference Vulnerability in SCLP Interrupt Handling

A vulnerability in the Linux kernel's SCLP (System Control Language Processor) interrupt handling can lead to a NULL pointer dereference. This issue arises because the tracing code exits early if the SCCB (Subchannel Control Block) address for an interrupt is NULL. The NULL check is performed after translating physical addresses to virtual ones. If the kernel's identity mapping does not begin at zero, the translated virtual address will never be zero, causing the NULL checks to fail. As a result, this can lead to incorrect accesses to the first page of the identity mapping. The vulnerability affects the Linux kernel on the s390 architecture.

Impact

Exploitation of this vulnerability can cause a NULL pointer dereference, leading to a crash of the kernel or the affected process.

Reproduction

The vulnerability can be reproduced by triggering an SCLP interrupt with a NULL SCCB address, in a kernel environment where the identity mapping does not start at zero. This can be done by configuring the kernel to use a non-zero base for the identity mapping, and then generating an SCLP interrupt that does not have a valid SCCB address.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux Kernel Archives.