In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec().
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Call trace: process_one_work+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110
Fix the bug by raising a fatal error if DATAL isnt coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmet_tcp_handle_icreq().
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux_kernel | Linux | 5.0.0 (including) | 5.4.268 (excluding) |
| Linux_kernel | Linux | 5.5.0 (including) | 5.10.209 (excluding) |
| Linux_kernel | Linux | 5.11.0 (including) | 5.15.148 (excluding) |
| Linux_kernel | Linux | 5.16.0 (including) | 6.1.75 (excluding) |
| Linux_kernel | Linux | 6.2.0 (including) | 6.6.14 (excluding) |
| Linux_kernel | Linux | 6.7.0 (including) | 6.7.2 (excluding) |