CVE-2025-22018

In the Linux kernel, the following vulnerability has been resolved:

atm: Fix NULL pointer dereference

When MPOAcacheimposrcvd() receives the msg, it can trigger Null Pointer Dereference Vulnerability if both entry and holdingtime are NULL. Because there is only for the situation where entry is NULL and holdingtime exists, it can be passed when both entry and holdingtime are NULL. If these are NULL, the entry will be passd to egcacheput() as parameter and it is referenced by entry->use code in it.

kasan log:

[ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102 [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 3.319298] RIP: 0010:egcacheremoveentry+0xa5/0x470 [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 [ 3.326430] Call Trace: [ 3.326725] <TASK> [ 3.326927] ? dieaddr+0x3c/0xa0 [ 3.327330] ? excgeneralprotection+0x161/0x2a0 [ 3.327662] ? asmexcgeneralprotection+0x26/0x30 [ 3.328214] ? vprintkemit+0x15e/0x420 [ 3.328543] ? egcacheremoveentry+0xa5/0x470 [ 3.328910] ? egcacheremoveentry+0x9a/0x470 [ 3.329294] ? __pfxegcache_removeentry+0x10/0x10 [ 3.329664] ? consoleunlock+0x107/0x1d0 [ 3.329946] ? __pfxconsoleunlock+0x10/0x10 [ 3.330283] ? dosyscall64+0xa6/0x1a0 [ 3.330584] ? entrySYSCALL64afterhwframe+0x47/0x7f [ 3.331090] ? __pfxprbreadvalid+0x10/0x10 [ 3.331395] ? downtrylock+0x52/0x80 [ 3.331703] ? vprintk_emit+0x15e/0x420 [ 3.331986] ? __pfxvprintkemit+0x10/0x10 [ 3.332279] ? downtrylock+0x52/0x80 [ 3.332527] ? printk+0xbf/0x100 [ 3.332762] ? pfxprintk+0x10/0x10 [ 3.333007] ? rawwritelockirq+0x81/0xe0 [ 3.333284] ? pfxrawwritelockirq+0x10/0x10 [ 3.333614] msgfrom_mpoad+0x1185/0x2750 [ 3.333893] ? __buildskbaround+0x27b/0x3a0 [ 3.334183] ? __pfxmsgfrom_mpoad+0x10/0x10 [ 3.334501] ? __allocskb+0x1c0/0x310 [ 3.334809] ? pfxallocskb+0x10/0x10 [ 3.335283] ? rawspinlock+0xe0/0xe0 [ 3.335632] ? finishwait+0x8d/0x1e0 [ 3.335975] vccsendmsg+0x684/0xba0 [ 3.336250] ? __pfxvccsendmsg+0x10/0x10 [ 3.336587] ? __pfxautoremovewake_function+0x10/0x10 [ 3.337056] ? fdget+0x176/0x3e0 [ 3.337348] __syssendto+0x4a2/0x510 [ 3.337663] ? pfxsyssendto+0x10/0x10 [ 3.337969] ? ioctlhasperm.constprop.0.isra.0+0x284/0x400 [ 3.338364] ? sockioctl+0x1bb/0x5a0 [ 3.338653] ? __rseqhandlenotify_resume+0x825/0xd20 [ 3.339017] ? __pfxsockpfxsockioctl+0x10/0x10 [ 3.339316] ? pfxseq_handlenotifyresume+0x10/0x10 [ 3.339727] ? selinuxfileioctl+0xa4/0x260 [ 3.340166] __x64syssendto+0xe0/0x1c0 [ 3.340526] ? syscallexittousermode+0x123/0x140 [ 3.340898] dosyscall64+0xa6/0x1a0 [ 3.341170] entrySYSCALL64afterhwframe+0x77/0x7f [ 3.341533] RIP: 0033:0x44a380 [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 [
---truncated---