Linux Kernel NULL Pointer Dereference Vulnerability in TEE Shared Memory Registration

A vulnerability in the Linux kernel's handling of shared memory registration in the Trusted Execution Environment (TEE) can lead to a NULL pointer dereference. This issue arises in the 'register_shm_helper()' function, where the error handling for 'iov_iter_extract_pages()' is incorrect. The function fails to account for scenarios where only a portion of the requested pages is retrieved, leaving some buffer parts unmapped. This vulnerability can be triggered by malformed input through the 'ioctl(TEE_IOC_SHM_REGISTER)' call.

Impact

Exploitation of this vulnerability can cause a NULL pointer dereference, potentially leading to a system crash or other undefined behavior.

Reproduction

To reproduce this vulnerability, invoke the 'ioctl' function with 'TEE_IOC_SHM_REGISTER' while providing a buffer that is only partially mapped. The 'register_shm_helper()' function will then mishandle the input, causing a NULL pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.