Linux Kernel Unbuffered Write Error Handling Vulnerability in Netfs

A vulnerability in the Linux kernel's netfs component related to unbuffered write error handling has been addressed. When all subrequests in an unbuffered write stream fail, the subrequest collector fails to update the transferred value, leaving it at its initial LONG_MAX. This issue can lead to a NULL pointer dereference error. The vulnerability was discovered by running a specific xfstest against the CIFS filesystem with caching disabled, which caused the write operation to fail after exhausting available space. The error handling flaw was that the write operation reported an incorrect transferred value, leading to a buffer management error.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, which can lead to a system crash or instability.

Reproduction

The vulnerability can be reproduced by performing an unbuffered write operation on a file using the CIFS filesystem with caching disabled. This can be done by running the generic/750 xfstest, which splices data into the target file. Once the available scratch space is filled, the writes begin to fail with an 'ENOSPC' error, indicating that the write operation has been exhausted. However, instead of returning an error, the 'write_iter' function incorrectly reports that a maximum value has been transferred. This discrepancy causes the 'iter_file_splice_write' function to attempt to clean up a non-existent pipe buffer, resulting in a NULL pointer dereference.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.