Description
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0.
Product status
5866efa8cbfbadf3905072798e96652faf02dbe8 (git) before a8f1e445ce3545c90d69c9e8ff8f7821825fe810
5866efa8cbfbadf3905072798e96652faf02dbe8 (git) before 4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d
5866efa8cbfbadf3905072798e96652faf02dbe8 (git) before f9e53f69ac3bc4ef568b08d3542edac02e83fefd
5866efa8cbfbadf3905072798e96652faf02dbe8 (git) before 7452d53f293379e2c38cfa8ad0694aa46fc4788b
5866efa8cbfbadf3905072798e96652faf02dbe8 (git) before a2c6f25ab98b423f99ccd94874d655b8bcb01a19
5866efa8cbfbadf3905072798e96652faf02dbe8 (git) before 1c8bb965e9b0559ff0f5690615a527c30f651dd8
5866efa8cbfbadf3905072798e96652faf02dbe8 (git) before d4b69a6186b215d2dc1ebcab965ed88e8d41768d
66ed7b413d31c6ff23901ac4443b1cc1af2f6113 (git)
7be8c165dc81564705e8e0b72d398ef708f67eaa (git)
5.5
Any version before 5.5
5.10.248 (semver)
5.15.198 (semver)
6.1.160 (semver)
6.6.120 (semver)
6.12.64 (semver)
6.18.3 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810
git.kernel.org/...c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d
git.kernel.org/...c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd
git.kernel.org/...c/7452d53f293379e2c38cfa8ad0694aa46fc4788b
git.kernel.org/...c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19
git.kernel.org/...c/1c8bb965e9b0559ff0f5690615a527c30f651dd8
git.kernel.org/...c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d