Linux Kernel NULL Pointer Dereference Vulnerability in Sleepable Context

A vulnerability in the Linux kernel's handling of sleepable contexts can lead to a NULL pointer dereference. This issue arises in the 'lib/buildid' component when the file reading function accesses the page cache directly, potentially causing a crash. The vulnerability has been addressed by modifying the file reader to use the standard kernel file reading interface, which manages the complexities of file data retrieval more effectively. The issue was reported by syzbot and has been resolved in the stable Linux kernel.

Impact

Exploitation of this vulnerability can cause a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by triggering the 'filemap_read_folio' function in a sleepable context, which accesses the page cache directly. This can be done by creating a scenario where the file reader's 'may_fault' flag is set, indicating that the operation can sleep, and then attempting to read a file offset that is not cached or up-to-date, causing the function to dereference a NULL pointer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel's official website.