Can you explain this vulnerability to me?

This vulnerability is a NULL pointer dereference in the Linux kernel's group_cpus_evenly() function. It occurs when the variable numgrps is set to zero, causing kcalloc() to return a ZERO_SIZE_PTR, which is then dereferenced, leading to a kernel panic. This happens specifically when using null_blk with configfs and echoing 0 to poll_queues, triggering a crash in the kernel.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to panic and crash, resulting in a denial of service. Systems affected by this bug may become unstable or unresponsive when the specific conditions triggering the NULL pointer dereference are met.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for kernel panic messages related to NULL pointer dereference in the group_cpus_evenly() function, especially when using null_blk with configfs and echoing values to poll_queues. Look for kernel logs containing messages like 'BUG: kernel NULL pointer dereference' and call traces involving group_cpus_evenly and null_blk. Commands to check kernel logs include: 'dmesg | grep -i "NULL pointer dereference"' or 'journalctl -k | grep -i "NULL pointer dereference"'. Additionally, testing the system by echoing 0 to poll_queues in null_blk configfs may reproduce the panic if vulnerable.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version where the fix is applied, which includes checking numgrps before dereferencing in group_cpus_evenly() and returning NULL if numgrps is zero. Until the update is applied, avoid triggering the vulnerability by not echoing 0 to poll_queues in null_blk configfs or avoid using null_blk with configfs in a way that triggers this code path.

Useful 0 Not Useful 0