Linux Kernel PMTU Check Vulnerability in IP Tunneling

A vulnerability has been identified in the Linux kernel's IP tunneling implementation, specifically within the skb_tunnel_check_pmtu() function. This issue arises because the function improperly assumes that the MAC header is set, which can lead to incorrect packet fragmentation handling. The vulnerability was exposed by a recent addition of debug warnings in the networking stack, highlighting the absence of a MAC header in certain transmission paths. The issue has been reported in Linux kernel version 5.19.0-rc2.

Impact

Exploitation of this vulnerability can cause improper handling of packet fragmentation, potentially leading to issues such as packet loss or fragmentation-related attacks.

Reproduction

The vulnerability can be reproduced by sending packets through an IP tunnel using the Geneve protocol. The packets will be transmitted without a properly set MAC header, triggering the bug in the PMTU check. This can be done using a syzkaller fuzzing tool, which automates the process of finding such vulnerabilities by sending a large number of random inputs to the kernel.