Linux Kernel Ceph Module NULL Pointer Dereference Vulnerability

A vulnerability in the Ceph module of the Linux kernel can lead to a NULL pointer dereference, causing a kernel crash. This issue arises because the function 'ceph_process_folio_batch()' improperly sets folio_batch entries to NULL, creating an illegal state. The 'ceph_shift_unused_folios_left()' function is intended to correct this by removing NULL entries, but recent changes have made it ineffective. As a result, any error in 'ceph_process_folio_batch()' can trigger a kernel crash, particularly if certain conditions are met, such as the allocation of a 'huge_zero_folio'.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by modifying the 'ceph_check_page_before_write()' function to return '-E2BIG'. This change triggers the 'ceph_process_folio_batch()' function to exit early, leaving NULL entries in the folio_batch. When 'ceph_writepages_start()' is called, it attempts to process these NULL entries, leading to a crash. It's important to note that this reproduction method relies on the 'huge_zero_folio' being allocated, as the absence of this allocation allows 'folios_put_refs()' to skip NULL entries, making the crash less reliable.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.