Linux Kernel Arm64 Fpsimd ZA Context Restoration Vulnerability Leading to Null Pointer Dereference

A vulnerability in the Linux kernel's handling of the ZA signal context for arm64 architecture can lead to a null pointer dereference. This issue arises because the kernel does not allocate the necessary SVE state before restoring the ZA context, particularly in cases where the context is saved and restored using tools like CRIU. As a result, a task can enter an invalid state where the SVE state is null, causing a crash when the kernel attempts to access the register state. This vulnerability has been addressed by ensuring that the SVE state is allocated before restoring the ZA context, thereby preventing the null pointer dereference.

Impact

Exploitation of this vulnerability causes a kernel crash due to a null pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by restoring a task's ZA context without the corresponding SVE state allocation, particularly after the task has been saved and restored with a tool like CRIU. This can be done by creating a task that uses the ZA context, saving it with CRIU, and then restoring it, which will result in the SVE state being null. When the task is then scheduled to run, the kernel will attempt to restore the register state, leading to a null pointer dereference and a crash.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the latest stable kernel can be found on the official Linux kernel website.