In the Linux kernel, the following vulnerability has been resolved:
md-cluster: fix NULL pointer dereference in process_metadata_update
The function process_metadata_update() blindly dereferences the 'thread'
pointer (acquired via rcu_dereference_protected) within the wait_event()
macro.
While the code comment states "daemon thread must exist", there is a valid
race condition window during the MD array startup sequence (md_run):
1. bitmap_load() is called, which invokes md_cluster_ops->join().
2. join() starts the "cluster_recv" thread (recv_daemon).
3. At this point, recv_daemon is active and processing messages.
4. However, mddev->thread (the main MD thread) is not initialized until
later in md_run().
If a METADATA_UPDATED message is received from a remote node during this
specific window, process_metadata_update() will be called while
mddev->thread is still NULL, leading to a kernel panic.
To fix this, we must validate the 'thread' pointer. If it is NULL, we
release the held lock (no_new_dev_lockres) and return early, safely
ignoring the update request as the array is not yet fully ready to
process it.
A NULL pointer dereference vulnerability exists in the Linux kernel's md-cluster module when processing metadata updates during array startup. An attacker on a remote cluster node can trigger a kernel panic by sending a METADATA_UPDATED message during the race condition window before the main MD thread is initialized.
تحدث هذه الثغرة في وحدة md-cluster بنواة لينكس حيث يتم إلغاء مؤشر NULL عند معالجة تحديثات البيانات الوصفية. يوجد نافذة تنافس أثناء بدء تشغيل مصفوفة MD حيث يكون الخيط الرئيسي غير مهيأ بعد، مما يسمح بحدوث انهيار النواة.
A NULL pointer dereference vulnerability exists in the Linux kernel's md-cluster module when processing metadata updates during array startup. An attacker on a remote cluster node can trigger a kernel panic by sending a METADATA_UPDATED message during the race condition window before the main MD thread is initialized.
Update the Linux kernel to the latest patched version. Implement proper NULL pointer checks in process_metadata_update() before dereferencing the thread pointer. Apply the upstream kernel patch that adds validation of mddev->thread existence before use in wait_event() macro.
قم بتحديث نواة لينكس إلى أحدث إصدار مصحح. قم بتنفيذ فحوصات مؤشر فارغ مناسبة في process_metadata_update() قبل إلغاء المؤشر. طبق رقعة نواة المصدر التي تضيف التحقق من وجود mddev->thread قبل الاستخدام في ماكرو wait_event().