Linux Kernel Invalid Pointer Dereference Vulnerability in SLUB Memory Allocator

A vulnerability in the Linux kernel's SLUB memory allocator can lead to a denial-of-service condition by causing a kernel crash. This issue arises when the 'object_err()' function attempts to access metadata of an object through a pointer that has been determined invalid, particularly due to freelist corruption. The invalid pointer access can cause a crash, as the pointer does not reference a valid object. The problem occurs when 'alloc_consistency_checks()' identifies the pointer as invalid and calls 'object_err()' to report the issue. The 'object_err()' function is supposed to handle such corruption gracefully, but instead, it crashes the system. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a kernel crash, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by introducing freelist corruption in the SLUB memory allocator. Once the freelist is corrupted, the 'alloc_consistency_checks()' function will identify valid pointers as invalid. When this happens, 'object_err()' is called to report the error, but instead of handling the situation gracefully, it crashes the kernel by accessing invalid metadata. This sequence of events can be triggered by specific memory allocation patterns or by manually corrupting the freelist, depending on the system's workload and memory management.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.