Linux Kernel DAMON NULL Pointer Dereference Vulnerability via Sysfs Command Paths

A vulnerability in the Linux kernel's Data Access Monitoring (DAMON) subsystem can lead to NULL pointer dereferences. This issue arises because multiple sysfs command paths dereference the first element of the contexts array without verifying that the number of contexts is equal to one. Privileged users can exploit this by setting the number of contexts to zero through sysfs while DAMON is active, causing the NULL pointer dereference. The vulnerability affects Linux kernel versions 5.18 and later.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the DAMON subsystem.

Reproduction

To reproduce this vulnerability, first start the DAMON subsystem and ensure that the contexts directory is empty, which can be verified by checking that the number of contexts is zero. Then, navigate to the appropriate sysfs directory for the DAMON instance and set the number of contexts to zero. After this, any of the sysfs commands that access DAMON's internal context data will cause a NULL pointer dereference, crashing the subsystem.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.