Linux Kernel NULL Pointer Dereference Vulnerability in Event Tracing

A NULL pointer dereference vulnerability has been identified in the Linux kernel's event tracing mechanism. This issue arises in the 'trigger_data_free()' function, which does not properly handle NULL pointers. When 'trigger_data_alloc()' fails and returns NULL, the 'event_hist_trigger_parse()' function jumps to the error handling path. While 'kfree()' can safely manage a NULL pointer, 'trigger_data_free()' cannot, leading to a dereference error when the function tries to access 'data->cmd_ops->set_filter'. This vulnerability affects the Linux kernel stable versions through 6.18.y.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a crash in the kernel.

Reproduction

The vulnerability can be reproduced by triggering a scenario where 'trigger_data_alloc()' fails and returns NULL. This can be done by manipulating the event tracing system to allocate trigger data incorrectly. Once 'NULL' is returned, the 'event_hist_trigger_parse()' function will attempt to free the data using 'trigger_data_free()', which will cause a NULL pointer dereference when it tries to access the command operations filter. This sequence of events can be automated with a script that interacts with the kernel's tracing events, simulating the conditions that lead to the NULL allocation.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the documentation for your specific Linux distribution.