Linux Kernel NVMe-TCP NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's NVMe over TCP implementation can lead to NULL pointer dereferences, causing a kernel panic. This issue arises in the 'nvmet_tcp_build_pdu_iovec' function, which dereferences command data structure pointers without proper NULL checks. The vulnerability can be exploited by sending H2C_DATA PDUs immediately after the ICREQ/ICRESP handshake, but before a CONNECT or NVMe write command is issued. The lack of validation for the command's data structures allows for exploitation in various scenarios, such as uninitialized command slots or during READ operations, where only certain pointers are allocated.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, send an H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before issuing a CONNECT command or NVMe write command. This can be done by targeting the NVMe over TCP interface and manipulating the command data structures to create a state that triggers the NULL pointer dereference.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.