Linux Kernel batman-adv Claim Purging Vulnerability Leading to NULL Pointer Dereference

A vulnerability in the Linux kernel's batman-adv module can cause a NULL pointer dereference. This issue arises in the claim purging function, batadv_bla_purge_claims(), which improperly handles claims that are in the process of being released. The function only traverses the claim list with a read lock, allowing it to encounter claims that have been partially freed. As a result, the backbone_gw pointer can be set to NULL before the claim is fully released, leading to a dereference of a NULL pointer when the backbone_gw is accessed. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, which can lead to a system crash or instability.

Reproduction

The vulnerability can be reproduced by invoking the batadv_bla_purge_claims() function while claims are being concurrently released. This can be simulated by performing operations that trigger claim releases in parallel with the purging process, causing the purging function to encounter claims that are in the midst of being freed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux stable tree.