Linux Kernel NULL Pointer Dereference Vulnerability in netfs Unbuffered Write Retry Path

A NULL pointer dereference vulnerability has been identified in the Linux kernel's netfs component, specifically within the unbuffered write function. This issue arises when a write subrequest is marked for retry. The function calls the stream's prepare_write operation without verifying if it is set, leading to a dereference of a NULL pointer. This problem is present in filesystems like 9P, where the prepare_write operation is not defined. The vulnerability occurs when the get_user_pages function fails and the subrequest is flagged for retry, causing a crash at a specific line in the netfs direct write source file.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a crash of the affected process.

Reproduction

To reproduce this vulnerability, create a write subrequest in the netfs unbuffered write process and mark it with the NETFS_SREQ_NEED_RETRY flag. Ensure that the filesystem in use does not set the prepare_write operation, such as the 9P filesystem. When the get_user_pages function fails with an EFAULT error, the subrequest will be retried, causing a NULL pointer dereference and crashing the process.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.