Oscar Salvador

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0-rc2-default+ **Description** The vulnerability is related to a NULL pointer dereference in the hugetlbfs fill super() function when configuring a hugetlb filesystem via the fsconfig() syscall. This occurs when the requested pagesize is non-valid, causing the ctx->hstate to be replaced with NULL. Later, when dereferencing ctx->hstate in hugetlbfs fill super(), it results in a NULL pointer dereference, leading to a kernel crash. The issue arises from the following steps: 1. Opening a hugetlbfs filesystem using fsopen(). 2. Setting the pagesize using fsconfig() with an invalid value. 3. Creating the filesystem using fsconfig() with FSCONFIG CMD CREATE. Technical details about exploitation include: - **API Endpoints:** The vulnerability is exploited through the `fsconfig()` syscall, specifically when setting the `pagesize` parameter. - **Vulnerable Parameters or Variables:** The `ctx->hstate` variable is vulnerable as it is replaced with NULL when an invalid pagesize is requested. - **Function Names:** The `hugetlbfs fill super()` and `hugetlbfs parse param()` functions are involved in the vulnerability. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the NULL pointer dereference in hugetlbfs fill super(). As a temporary workaround, consider restricting the use of the hugetlbfs filesystem or validating the pagesize parameter before setting it via fsconfig().