Description
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() A crash was observed with the following output: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary) RIP: 0010:bitmap_parselist+0x53/0x3e0 Call Trace: <TASK> osnoise_cpus_write+0x7a/0x190 vfs_write+0xf8/0x410 ? do_sys_openat2+0x88/0xd0 ksys_write+0x60/0xd0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This issue can be reproduced by below code: fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY); write(fd, "0-2", 0); When user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return ZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which trigger the null pointer dereference. Add check for the parameter 'count'.
Product status
17f89102fe23d7389085a8820550df688f79888a (git) before e33228a2cc7ff706ca88533464e8a3b525b961ed
17f89102fe23d7389085a8820550df688f79888a (git) before c1628c00c4351dd0727ef7f670694f68d9e663d8
6.16
Any version before 6.16
6.16.8 (semver)
6.17 (original_commit_for_fix)
References
git.kernel.org/...c/e33228a2cc7ff706ca88533464e8a3b525b961ed
git.kernel.org/...c/c1628c00c4351dd0727ef7f670694f68d9e663d8
