Linux Kernel NULL Pointer Dereference Vulnerability in libceph Component

A vulnerability in the Linux kernel's libceph component can lead to a NULL pointer dereference. This issue occurs in the free_choose_arg_map() function, which can be called after a partial allocation failure, particularly in the decode_choose_args() function. When the allocation of arg_map->args fails, the function free_choose_arg_map() is invoked. However, since arg_map->size is updated to a non-zero value before the memory allocation, the free_choose_arg_map() function will attempt to iterate over arg_map->args and dereference a NULL pointer. This vulnerability has been addressed by adding checks for NULL pointers before iteration, ensuring that free_choose_arg_map() can safely handle cases of partial allocation.

Impact

Exploitation of this vulnerability can cause a NULL pointer dereference, leading to a crash of the affected process or component.

Reproduction

The vulnerability can be reproduced by triggering a partial allocation failure in the decode_choose_args() function, which will cause the free_choose_arg_map() function to dereference a NULL pointer. This can be done by manipulating the allocation process of arg_map->args to fail after the size has been updated, causing the free_choose_arg_map() function to incorrectly assume it has valid data to process.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux kernel documentation.