Linux Kernel NULL Pointer Dereference Vulnerability in DRM MSM GEM Metadata Handling

A vulnerability has been identified in the Linux kernel's Direct Rendering Manager (DRM) for the Qualcomm Snapdragon Mobile Series (MSM) graphics driver. The issue arises in the GEM (Graphics Execution Manager) metadata handling, specifically within the 'msm_ioctl_gem_info_get_metadata' function. This function improperly manages error conditions by always returning 0, regardless of whether an error has occurred. When the 'copy_to_user' function fails or the user-provided buffer is insufficient, the function ignores the actual error code and misleadingly indicates success. Furthermore, the 'kmemdup' function, which duplicates memory, can return NULL if the memory allocation fails. The current implementation does not check for this potential NULL return, leading to a NULL pointer dereference when 'copy_to_user' is called. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a NULL pointer dereference, causing a crash of the affected system or application.

Reproduction

The vulnerability can be reproduced by invoking the 'msm_ioctl_gem_info_get_metadata' function in a scenario where the 'copy_to_user' operation fails or the user buffer is too small. This will trigger the error handling flaw, allowing the function to return 0 instead of the appropriate error code. Additionally, if 'kmemdup' fails to allocate memory, the subsequent 'copy_to_user' call will dereference a NULL pointer, causing a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The official Linux kernel Git repository contains the patched version.