Linux Kernel veth Device Header Handling Vulnerability

A vulnerability in the Linux kernel's veth networking component can lead to a kernel bug. When a decapsulated packet is sent through a veth device using the act_mirred action, the length of the packet's header can be zero. This situation arises because the veth_xmit function forwards the packet without ensuring that it contains the required Ethernet header length. The issue occurs in the packet processing pipeline, where the missing header can cause a failure in the expected data handling.

Impact

Exploitation of this vulnerability can cause a kernel panic, leading to a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by sending a decapsulated packet through a veth device that has the act_mirred action applied. This can be done by creating a veth pair, attaching one end to a network namespace, and using the act_mirred action to mirror packets. When a packet is decapsulated and forwarded, the veth_xmit function will call __dev_forward_skb(), which requires a minimum Ethernet header length. If this length is not met, a kernel bug is triggered.