Linux Kernel NULL Pointer Dereference Vulnerability in AF_ALG Interface

A vulnerability in the Linux kernel's AF_ALG interface can lead to a NULL pointer dereference and a subsequent kernel panic. This issue arises because the interface fails to properly manage the end marker of a Scatter/Gather List (SGL) when chaining new structures. Specifically, if a sendmsg() operation fills an SGL to its maximum capacity, the last entry is marked as the end. However, when a subsequent sendmsg() allocates a new SGL and chains it without clearing the end marker on the previous SGL, the crypto scatterwalk encounters a premature end. This mismanagement causes a NULL return on sg_next(), which, when dereferenced, leads to a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, send a message that fills a Scatter/Gather List (SGL) exactly to its maximum capacity. This will mark the last entry as the end. Then, send another message that allocates a new SGL and chains it. The new SGL will not clear the end marker on the previous SGL's last entry, causing the crypto scatterwalk to return NULL on the next entry, which can be dereferenced and cause a kernel panic.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.